We are facing a challenge related to the nature of Roles being “sticky assignments” to the identity.
We are currently using Roles for Access Requests. The decision to use Roles was made since we are using the “Service Catalog” integration and we wanted to avoid having two different tabs for both Roles and Access Profiles.
Another team runs a dormancy process that disables accounts inactive for 90 days and deletes them after an additional 90 days. These accounts are not limited to inactive or leaver identities, which complicates identifying the relevant identities to remove requested roles from. An active identity, which hasn’t used a specific account for 180 days, could still have their account deleted.
We are looking for options to automate the removal of roles that were requested for these accounts before they are deleted to avoid the account being recreated in the source.
Hi @gourab, thanks for your response. I did go through some posts around this same issue but all the resolution options are limited to the leavers use case. What about the active identities that may have their inactive account deleted ?
Hi @MeKhalbi ,
Those values should come from the target system itself. For example, if you have Active Directory, attributes like ‘Last-Logon’ can be used to check if it is unused or not. Based on this, we can perform a 90-day calculation and trigger a workflow. For other target systems, there should be some value from the target system itself that determines the usage.
Both Roles and Access Profile requests get sticky from time to time and it is a common problem. Monitor your Task Que and adjust your aggregation schedules to prevent unneeded aggregations that can cause the sticky issues.
Thanks @gourab and @TJ211 for your inputs. Do you know if there is an easy way to create a certification campaign for a set of identities and a target only a set of roles ? We are thinking of adopting an interim solution which is running a certification for all accounts that will get deleted and revoke the requested roles before the deletion happens.
Thanks @gourab, the context I have is to remove specific roles from a specific identities that will have their accounts deleted e.g User A has an account in Entra ID that he didn’t use in 180d. The account will get deleted, the action from our side is to run a certification to revoke any roles that provide access to Entra ID and that are linked to the account that is set to be deleted.
Hi @MeKhalbi ,
In this case, since ISC roles can have access profiles or entitlements from all sources and are not tied to a specific source, a solution could be to use/add tags on roles to indicate that they grant Entra ID access. By using search, we can find those roles based on the tags and certify them.