Workflow to remove ALL leavers' standing access

When I indivudally go and revoke a role, there are no issues. If the permissions is the issue it would give me an error when I do this as well right?

There are a lot of variables in play, the error is an AD error it can’t or won’t do want it’s asking.

HRESULT:[0x8007235] this error on the Active Directory side is usually related to an Active Directory password policy and you may require some assistance on the Active Directory side.

I agree that this is an AD error. I’ve seen this happen before also when you are trying to do something that is already done (e.g. remove a user from a group when they are no longer a member of that group anymore).

The only way I can think of this happening as a result of the workflow is if you have many birthright roles that are autoremoved when the user’s lifecycle state changes + at the same time this workflow triggers and tries to remove the same access. So there may be a race condition where the certification campaign is generated to remove access that is removed a few seconds/minutes later anyway.

Try one of the following:

• If you are triggering this workflow on the very first state when someone is terminated (e.g. from Active to Terminated) then add an additional delay (10~15 minutes?) as the very first step of the workflow. This ensures all birthright access and roles are already removed before this workflow tries to remove the rest.

OR

• Consider splitting your leaver process in two steps - which is the most common setup I’ve seen. For example:
  i. Initially Active → Terminated only disables accounts and removes birthright roles, but all additional access remains. Identities stay in the Terminated state for a short period of time (e.g. 2 weeks) which also makes reverting an incorrect termination a lot easier.
  ii. After two weeks Terminated → Post Terminated / Final Terminated. This is when you’d trigger this workflow to go and remove any left over access as you are now sure this is a valid leaver.

@sk8er23 and @mostafa_helmy, thanks for all you feedback. I found a alternative solution to my problem.

I used a HTTP request action to create a Search Campaign instead of the Create Certification Campaign Acton, using the HTTP Request I attached a campaign filter to the JSON configuration of that particular action and excluded the “Domain Users” entitlement as it was that entitlement that is causing the issues when revoking access via certification.

Following the above procedure I started the campaign automatically with the Activate Campaign action and the rest of the actions to revoke the access items and observed the expected result (revocation of all access items except for the Domain Users entitlement and the birthright roles).

Thanks for all you help!

I will try the first suggestion out and see if this is also a potential fix.

Hi @mostafa_helmy i have one more additional requirement I am trying to fullfill, so when an Identity’s LCS changes to trigger the workflow and the search campaign (via HTTP Request) is initiated, i need the campaign to include access items from particular sources. I have tried to see if in the query we can add a innerhit it doesnt seem like there is. If you have any thoughts on how I could achive this please let me know.

image567×445 17.1 KB

Hi All,

I’ve a doubt how to stop email notification for revoking access. If there are more 100+ users are leaving and if we use revoke entitlement workflow its triggering emails based on PAT.

Is there any workaround to avoid this email notifications.

-Vasanth

Unfortunately there is no way to surpress the standard access request emails if you choose that approach. Ideally using the Access Certification approach would not trigger any emails.

Hi @mostafa_helmy,

Noted with Thanks!

-Vasanth

Question:
Curious to know why we are not using “manage access” action to remove entitlements instead of access certifications approach?

Ideally, I would like to remove all entitlements associated with the identity using manage access.

One of the optional workflows I created in this post does use the “Manage Access” step to remove access (Option 2: Access Request Workflow).

The primary reason I do not recommend using use the “Manage Access” step is because it relies on Access Requests, which have their own pros & cons:

• Access items may have an approval workflow configured for removing access. So your leaver flow could potentially wait for one or more approver before removing access.
• The SailPoint Access Model contains nested objects (Roles > Access Profiles > Entitlements), so there has to be logic that evaluate access item and ensure you do not try to submit a request to remove a nested item as it wouldn’t work (I already implemented that logic in the workflow, it is possible but why go through that?)
• With Entitlement remove requests, they have to be one entitlement per request. This requires looping through all standalone entitlements which isn’t best practice and may hit some workflow looping limits.

@mostafa_helmy
Just wanted to confirm another item in your access certification workflow. This approach would automatically complete the campaign generated and revoke all entitlements tied to the identity, correct? I wanted to make sure that the manager does not actually have to complete the campaign certification generated.

Correct! No user input is required, the workflow automatically revokes all access within a few minutes. You can even not assign it to the manager and instead assign it to your SailPoint workflow service account.

@mostafa_helmy Thank you so much! I have tested the simple leaver workflow and it worked very well!

However, I am having some issue withjust the Azure ad source. In the Sailpoint UI, it shows that all azure licenses entitlements have been removed but I am still seeing the license assigned to the user in azure. Is this expected?

image1387×636 52.7 KB

There are no licenses tied to the user in sailpoint either.Not sure why it is not reflecting in azure.

image1892×706 34.2 KB

@mostafa_helmy

Here is the 400 error while removing entitlements from azure ad.

[“Provisioning failed for 85a60d30-2de5-4616-85f7-36aaf6043233. Entitlement ID: 8c515c6a-81a4-4c63-8388-d54a8718a2bd .Response Code - 400 Error - Unable to update the specified properties for on-premises mastered Directory Sync objects or objects currently undergoing migration.”,“Provisioning failed for 85a60d30-2de5-4616-85f7-36aaf6043233. Entitlement ID: ec8636d7-a9a4-47b8-88e6-8d37355171bc .Response Code - 400 Error - Unable to update the specified properties for on-premises mastered Directory Sync objects or objects currently undergoing migration.”,“ObjectNotFoundException Provisioning failed for 85a60d30-2de5-4616-85f7-36aaf6043233. Entitlement ID: bf621ce7-86a5-482b-acb8-6c8f7edb7555 .Response Code - 404 Error - Resource \u0027bf621ce7-86a5-482b-acb8-6c8f7edb7555\u0027 does not exist or one of its queried reference-property objects are not present.”,“Provisioning failed for 85a60d30-2de5-4616-85f7-36aaf6043233. Entitlement ID: 0d276be7-f2c5-4f9f-a09d-d471f7e34bab .Response Cod…dergoing migration.”]

I added a 2 minute wiat action delay as well. This does impact our license removal workflow during terminations. Do you have any thoughts on other workarounds?

This seems like a connector issue that is not directly related to this workflow.

Specifically from the error message, it seems like you are using Entra Connect (previously known as Azure AD Connect) to sync on-prem users & groups to Entra. By Microsoft design, the synced groups cannot be removed from Entra, they can only be removed from AD.

I assume the AD groups are being removed anyway via this very same workflow. If so you can ignore this error as these synced group memberships will be removed by Entra Connect anyway.

The ability to exclude these synced read-only groups in the Azure/Entra connector is being tracked in this idea: https://ideas.sailpoint.com/ideas/GOV-I-1833. My understanding is an update will be released very soon allowing you to exclude such groups from aggregation. I’d recommend voting for it anyway if you haven’t already.

hi Mostafa,
First of all, great work!
i was wondering we are trying to just have simple WF without certification to remove access, i’m able to do so but each removal open a request to owner, is there a way to skip approval? just remove access without approvals?

Hi Mostafa,
I think you’re correct. For on prem ad groups, it is by microsoft design. I was thrown off a bit because in sailpoint events, it was giving the error on SPE_E3 license attribute value removal. SPE_E3 shouldn’t be on prem ad group membership. However, I don’t see the license tied to the user in azure anymore. I wonder if the Sailpoint UI is not capturing the information correctly.

I was thinking, to be on the safe side, should I run the “Scheduled - RemoveStandingAccess” workflow to remove all entitlements daily for terminated users so in case my “leaver - simple remove all access” workflow fails to remove all entitlements, I have a scheduled workflow running to remove all entitlements of the identity? Let me know your thoughts.

Just for reference, here is the error screenshot SPE_E3 license.

image1873×841 65.1 KB

Thanks Yaniv. Arguably the certification campaign approach is the simpler one. Please note that the generated campaign does not require human intervention (i.e. a manager does not need to make any decisions), the workflow will complete the campaign and revoke all access automatically.

Unfortunately one of the side effects of using Access Requests instead would be your leaver flow potentially waiting on approvals for access items with a remove access approval flow.

I’m not an expert in Entra, This seems more like an AD/Entra sync issue blocking the access removal than anything specifically SailPoint related.

At this point I’d recommend perhaps openning support tickets with SailPoint and/or Microsoft to help you understand why you are unable to remove these access items.