Hi team,
We are working on a workflow used in the leaver phase where we remove the roles and, for certain sources, remove all additional entitlements an identity might have. Even though we don’t want the identities to request single entitlements (allowEntitlementRequest is marked as false), there still might be standalone entitlements that identities have that needs to be removed by this leaver flow.
We started testing the Manage Access Action with a very simple workflow:
1: External trigger without any input needed.
2: Manage access, where we choose a static identity and choose a static (standalone) identity
3: End workflow success step.
We performed a test of the workflow and it was successful, but now every identity can request all entitlements we have without approval flow.
Before executing the workflow:
beta/access-request-config
ui/admin#admin:global:system:features
ui/d/request-center/request-access
After executing the workflow:
beta/access-request-config
ui/admin#admin:global:system:features
ui/d/request-center/request-access
So because we run this workflow to remove access, all identities can now request all entitlements without approval flow. This looks like a bug to me which poses a big security risk.