My organization is looking to introduce just-in-time provisioning to reduce the number of stale licenses for tools like Monday, Salesforce and Jenkins. Being able to make Sunset Date a mandatory field within the GUI process for creating access profiles (similar to how you can flag comments mandatory) would be extremely beneficial. Another option, instead of selecting a sunset date, would be to select a length of time the access would be good for (number of days) to allow for the approval workflow process to complete without impacting the time the access is available to the user.
1 Like
I would support this idea for some use cases for our environment as well. Did you submit it to the Ideas portal?
Yes, within SailPoint, you can effectively implement just-in-time provisioning based on sunrise and sunset dates using its built-in features. This capability is seamlessly integrated into the process of requesting roles or entitlements through the manage access functionality. Also, you could customize this functionality.
Having talked to SailPoint this cannot be made Mandatory based on the OP request for roles or entitlements without customization. The other issue with sunset is that if the deprovisioning fails it does not continue to retry like a regular access reqeust. From an Audit perspective we have also noticed Sunset actions do not log in IIQ when successful. The access is just removed. We have to look at the provisoning log that is sent to the end point to see what was sent.