I have been asked to come up with a solution to enable Suspensions. The goal of this is to remove a users access while still allowing them to be able to access Workday Learning. The challenge we are running into is that any design that we have come up with is extremely $$$ to implement.
Our systems are not really setup to handle this kind of ask. I was wondering if anyone has encounter something similar in the past and how you were able to address the ask?
I would say for access we are at less then 10% of access is granted in roles. If we were around 90% access granted in roles then this would be really easy. But with only 10% we would need to be able to remove access all but like 2 or 3 AD groups. Then when the status changes back to Active we would need to be able to fully restore the access that was removed.
Sure. We are using Identify Profiles to kick off provisioning. If we were to create a new Life Cycle State for this use case we would run into a number of challenges.
Issues:
The majority of access is not being controlled by IdN
Removing access we would only be able to remove access granted by roles
If we removed all access we wouldn’t have an easy way to grant all the access that was removed when the user comes off this life cycle state
AD would need to remain in an enabled state with a couple of AD groups that would allow the user to access Workday Learning. Login is using SAML.
One solution we came up with to address this was to use our PAM tool to reset the password for any user that got added at an AD group. Then a link to would be sent to that user to access our PAM tool to launch Workday Learning. When launched the PAM tool would pass in the generated password to Workday learning to log them in. From their they could complete the required training. Once the flag is removed from the WD account access would be completely restored once the user is allowed to reset their password. The issue we are running into is that this solution is really expensive.
When looking at a IdN route we would be looking at a massive redesign of the integrations that we have set up to take this new LCS into account when processing. Which when taking that into account is also really expensive.
Create an extenstionAttribute in AD lets say ‘extensionAttribute11’ and sync LCS to this attribute.
In before provisioning rule when the value ‘Suspension’ is updating to the extension attribute, remove the disable operation from the plan and add the AD groups which you want to add.
This will ensure your account remain enabled and also add the groups required to login into workday.