What workflow is getting triggered while revoking the access-review during the certification

What workflow is getting triggered while revoking the access-review during the certification ?
Step1: Created a manager Certificate.
Step2: Revoked all account access review and Signed Off
Step3: Ran the Perform maintenance task.
Step4: Certificate has been completed.

From few documents, I got to know that this process is triggering LCM provisioning. So, have created another Workflow copied from LCM provisioning configuring that in Life Cycle Manager but I found this process is not at-all getting triggered.

When revoking access in an IIQ certification a ProvisioningPlan will be created and associated with the CertificationItem which is part of a Certification XML object. When PM task runs, it will check for any ProvisioningPlans associated with a CertificationItem and kick off provisioning during that time. A specific workflow is not executed during this process.

You can always enable sailpoint.WorkflowTrace in log4j to determine what workflows are being call during processing.

1 Like

Does PM task triggers any Rules or Workflow?
I found the below piece of code from “Rules in identityIQ” document.
Could you please advise, where to add this code to redirect the flow to a new Group.

Certification revocation create a Modify action with remove entitlement. One option is before provisioning rule, where you can add your custom logic.

Could you elaborate , which rule I need to look into and add my custom code ?

I haven’t asked this question in last couple of years. but I guess it is LCM Provisioning only.

When a Provisioning Plan is created, it has an argument source, which defines from where this plan is generated.

If you place a request in Manage Access then source will be LCM
When you try to synchronize the attributes to target apps using Target Mapping, source will be IdentityRefresh.
Similarly in certification, if it is Approve then nothing to do, access will stay back. If it is deny then a revocation plan will be generated with source as Certification.

Every plan before it gets executed (OOTB), it has to go through Before Provisioning Rule.

I believe you need to do some customization to process the certification revocations, so add that custom logic in your Before Provisioning Rule with below code.

String source = plan.getSource();

if (source.equalsIgnoreCase("Certification")) {
/*
Custom logic
*/
}

A BeforeProvisioning rule is configured per application.

For an example of a BeforeProvisioning rule, see the ‘Rules in IdentityIQ’ Technical White Paper

– Remold

As per my requirement I have to create an Identity Certification.
The steps I have followed to Call Before Provisioning Rule is as below.
Step1: Selected an identity and checked the account it’s belonging to.
Step2: Assigned the Before Provisioning Rule to the Application(For the same Account)
Step3: Created the Identity certification for that Identity and revoked the all access review and Signed Off.
Step4: Ran Perform Maintenance Task.

I can see, the certification has been completed successfully but the Before Provisioning Rule has been called at all. Any advise ?

Can you take a step back and tell what your high level requirement is?
Why do you need to change anything regarding the revocations?

It might be a good idea to take a look at the Technical White Paper Lifecycle of a Certification.

Regarding the found ‘ApprovalAssignment’ rule, this rule is not related to Certifications (aka Access Reviews). The Approval flow is (by default) only used for Access Requests.

– Remold

1 Like

Thanks Remold. Here is my requirement.
I need to create an Identity certificate and during Access Review, when the Certifier revokes the access, the Workflow should redirect to a particular User group.

Any advise how to implement it ,and which Rule or Workflow I need to make the change ?

Hello Debasis,

Regarding the line - “the Workflow should redirect to a particular User group” Can you elaborate on what you want the workflow to direct? Are you saying that the access review should be redirected to a workgroup? I think if you want to add some logic for revocation, as Krishna suggested you can add a before provisioning rule. As for it not getting triggered, you might want to let us know what logic you have written.

Also, i think it would be best if you close this thread and make a new one because the original question [What workflow is getting triggered while revoking the access-review during the certification] has been answered and the new thread will also give the experts more clarity on your requirement as well :slight_smile:

1 Like

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.