This week a receive a request to revoke an access after two hours of the provisioning, at first i thought that wouldn’t be possible because looking at the documentations has anything saying that’s is possible.
But my curiosity speak louder and i started to read the API documentation and looking to the Access Request Endpoint and found a possible solution.
This endpoint says:
REVOKE_ACCESS
- Can only be requested for a single identity at a time.
- You cannot use an access request to revoke access from an identity if that access has been granted by role membership or by birthright provisioning.
- Does not support self request. Only manager can request to revoke access for their directly managed employees.
- If a
removeDateis specified, then the access will be removed on that date and time only for roles and access profiles. Entitlements are currently unsupported forremoveDate. - Roles, access profiles, and entitlements can be requested for revocation.
- Revoke requests for entitlements are limited to 1 entitlement per access request currently.
- [Roles, Access Profiles] You can specify a
removeDateif the access doesn’t already have a sunset date. TheremoveDatemust be a future date, in the UTC timezone. - Allows a manager to request to revoke access for direct employees. A token with ORG_ADMIN authority can also request to revoke access from anyone.
removeDate date-time
The date the role or access profile is no longer assigned to the specified identity. Also known as the expiration date.
- Specify a date in the future.
- The current SLA for the deprovisioning is 24 hours.
- This date can be modified to either extend or decrease the duration of access item assignments for the specified identity. You can change the expiration date for requests for yourself or direct reports, but you cannot remove an expiration date on an already approved item. If the access request has not been approved, you can cancel it and submit a new one without the expiration. If it has already been approved, then you have to revoke the access and then re-request without the expiration.
- Currently it is not supported for entitlements.
As we can see at the removeDate has controversial affirmations first says " You can specify a removeDate if the access doesn’t already have a sunset date." and then says “This date can be modified to either extend or decrease the duration of access item assignments for the specified identity. You can change the expiration date for requests for yourself or direct reports, but you cannot remove an expiration date on an already approved item. If the access request has not been approved, you can cancel it and submit a new one without the expiration. If it has already been approved, then you have to revoke the access and then re-request without the expiration.”
At the end if you make a revoke request sending a new removeDate, even if the user select the expiration date, ISC will process the event that comes first(i need to validate if the request overwrite the older value).
After those tests i created a workflow to do the job.
-
Trigger Provisioning Completed
$.accountRequests[?(@.accountOperation==‘Modify’ && @.attributeRequests[0].attributeValue==‘CN=MyTestGroup,OU=Groups,OU=IdentityNow,DC=domain,DC=com’)] -
Operator Define Variable
This step intend to define the access revoke date as the trigger don’t give us the date of execution, in my case we get the date of the workflow execution and add 2h.
{
"name": "removalDate",
"description": "removalDate",
"transforms": [
{
"id": "sp:transform:addTime:time",
"input": {
"length": 2,
"unit": "hours"
}
}
],
"variableA.$": "$.now()"
}
- Http Request
Now we send a revoke request with our new removeDate. Even though we have the action Manage Access i couldn’t make it work so a make a HttpRequest Instead.
Authentication Type: OAuth2
Token Url: https://{tenant}.api.identitynow.com/oauth/token
ClientId: needs to be org admin
ClientSecret: needs to be org admin
requestUrl: https://{tenant}.api.identitynow.com/beta/access-requests
Headers: Accept: application and Content-Type:application/json
Request Body:{"requestType":"REVOKE_ACCESS","requestedFor":["{{$.trigger.recipient.id}}"],"requestedItems":[{"comment":"Roke at sunset","id":"access_profile_id","removeDate":"{{$.defineVariable.removalDate}}","type":"ACCESS_PROFILE"}]}
I let the access profile ID as a Static value.
Workflow:
As i still working in this workflow he’s simple but helpfull.
Please fell free to suggest any improvements.
revokeaccessaftertwohours.json (2.2 KB)