Suggestions required for optimal workflow for new joiner, mover and leaver and role request workflow, we have hr application and service now integration with identity now, the approvals are done inside identity now, a service account is used to trigger the approvals and provisioning, Is this the well known design or is there any better workflows design?
The probelems we face :
First level approval is not skipped even when the requestor and approver are same
Sailpoint limitations that we cannot see more information about the requestor before we approve a role , and all the attributes of the user cannot be included in the email template also
Leavers is triggered by end date change in HR source and the user entitlements are not completely removed.
Thanks
Do you have this configured already and the questions listed are the issues you are having?
For the first item in the list, is that a manager approval for the first level, and the manager is still getting the approval request even if they made the request?
For the second, SailPoint limits the data that gets shown. You can add up to 5 Public Identities Attributes through the Public Identities Config | SailPoint Developer Community API, but those will be public for all areas that the identity can be viewed from (Requests, certification, etc)
For the Leaver, there are some improvements for this with the Identity Profile changes I believe. Take a look for that announcement. Otherwise you may need to have a workflow that is triggered on the leaver to remove the remaining entitlements.
Thank you for the response, Yes, this is the existing setup,
The manager is the requestor and he is getting notification for approval., redundant step.
I would like to know which is the optimal design, having these approvals inside SailPoint or in ServiceNow?
In your post you mentioned you are using a service account to trigger the request to ISC for approval and provisioning. If the manager is raising the request in ServieNow then ISC will not know it is him to skip the approvals. In this scenario approvals should be done in ServiceNow itself.
For the other two use cases it is better to explore the options provided by others in this post. One thing to add for entitlement removal is if you are going with the identity profile route to remove all access and if you have a scenario to keep certain access during leaver you need to add them in lifecycle state. If the entitlements are more then you have to take a decision to go with workflow.
Thank you for your response,
Is it the common/familiar set up that a service account is used in identity now to trigger the workflows?
the service now team says that they don’t have any control on the approval workflow and it all initiated inside identity now,
what would be the optimal set for these use case in IAM world when we have service now integration?
hi Sam, couple of question to better assist you.
You mentioned ServiceNow integration. Is your ServiceNow integration used as a ticketing service from ISC? What do I mean is when the request is raised in ISC after the approvals do you use ServiceNow to create tickets to respective business teams.
You also mentioned regarding workflows? Are you using native workflows in ISC for approvals and provisioning or am I miss interpretting it. Are you referring to workflows in ServiceNow?
Is your ServiceNow also used to raise request to ISC by end users?
