I currently have a workflow that creates a micro attestation campaign for an identity when it goes from active to inactive.
The attestation campaign revokes everything requested from the request center:
Workflow creates and configure the certification campaign.
Over HTTP I use the https://tenantid-sb.api.identitynow.com/v3/campaigns/{{$.createLeaverCampaign.id}}/complete call with the {“autoCompleteAction”: “REVOKE”} option.
Over HTTP I use the endpoint to delete the account on the target system.
This works, however, I am concerned that between step 2 and 3 there is a timeout and the account will be deleted before ISC finishes “revoking” the roles (and entitlements), is there any way to ensure this does not happen, i.e. validate that from source X, there are no entitlements left and then I can delete the account?
I hope I have explained myself, thank you in advance for your support.
Regards!
After step2, add wait for 10 mins or 15 mins in workflow. Do an API call to ISC to check if any entitlements are present on source. If no then proceed to delete account. If yes send a notification to alert admin or try it again.
And if you are deleting account on target, what is the need of removing entitlements?
Hello!
Thanks for your reply, I will try and hope to succeed.
Answering your question, I want to delete the rights granted by exception (not the roles granted by birthright) because if I don’t delete them and just delete the account, those rights will trigger the account creation again (even if the identity is inactive). Honestly, I think this should not work this way, i.e. an inactive identity should no longer trigger account creation, but if the entitlement is still valid, it creates the account after I delete it.
As @Abhinov7 suggested, add the wait time between step 2 and step 3. You can also consider the entitlements’ source account aggregation schedule when you add the wait time just to make sure the updated accounts are aggregated back through source aggregation before deleting the account. This may save you when you have any connectivity issue during revoke process, just my 2 cents on my experience.
Hello.
Thank you very much for your suggestion.
Just to confirm that I got it right: You mean to perform an account aggregation while waiting between step 2 and 3?
I understand that this is to ensure that I have connection with the target system and then ISC will be able to remove the entitlements, right?
First thing, the campaign in your Workflow will anyway do the individual account aggregation via identity refresh and keep your identity with latest data. I suggest to consider the source aggregation to be extra cautious when error occurred during the revoke process, focusing later you are deleting an account. To your questions,
Increase the wait time to align the Workflow with the scheduled source aggregation if the source aggregation is already scheduled and if it is more frequent. Do not add any source aggregation action in the Workflow which distract your Workflow purpose and not recommended to do that.
Apart from connection check, it is to make sure you have an updated account correlated in ISC before deleting the account, otherwise it may create a new account in any exceptional cases.
Thank you for your support, I will do so to avoid certification.
Just one additional doubt, in step 2, why is it necessary to wait to remove the birthright access?
One rule to assign birthright is that our identity is active, do you mean to wait for ISC to remove those roles since the first condition is not fulfilled, or do we have to wait for another reason?
If we don’t wait and lets say the workflow processed and deleted account before birthright access removal then ISC will trigger account creation.
Also I see you are deleting account directly on target, so ISC wouldn’t know this until next aggregation.
So its not mandatory to add wait, but just to be sure that workflow removals and birthright removal don’t happen parallelly and to avoid any issue its better to wait and do steps in a sequential manner.
Thank you for all your support. Every answer to the doubts we have helps, in addition to solving the use case, to strengthen the community.
Best regards!