We are having requirement to Trigger alert when multiple access(10+) getting revoked via Role or Access profiles from any identity, is it possible to implement this in Sailpoint.
If yes, how ?
There’s no native way to handle this, but you can use customization through the API’s to make this happen. I think it would be relatively simple to just scan the most recent AccountRequests, check for commonality between them, then if it hits your criteria, send an email to your team.
Here is another thread discussing something similar to your needs:
As Tyler said, there is no OOTB way this scenario but you can use Search query to get the exact result and trigger the operation you want.
can you explain further when you say revoked from a Role or AP?
all underlying access items prov’ process will kick off so do you mean if the access item is not detecting during next aggregation? if so can you configure native change detection but that will not restrict you to a count like 10+ etc.
Let’s say , we are assigning entitlements from Role, and once the role is disabled entitlements will be revoked. We need to put threshold over there , to send warning when 10+ access is getting revoked for any identity.
Hi Shikha,
- Send a APi request ( search-aggregate | SailPoint Developer Community ) with following body
{
“indices”: [“events”],
“query”: {
“query”: “technicalName:PROVISIONING_COMPLETED AND @accountRequests(attributeRequests.op:Remove) AND created:[now-1h TO now]”
},
“aggregation”: {
“identities_with_mass_removal”: {
“terms”: {
“field”: “target.name.exact”,
“min_doc_count”: 10
}
}
}
}
Run the above as scheduled trigger, then add WAIT of 20 minutes as provisining takes time.
- Add next conditional operator in workflow finidng if roles removed in a particular time period are >10, then keep an action of senfing email to requisite person.