SailPoint IdentityNow - Revoke previous access for movers
Fernando de los Ríos Sánchez
Advisory Solutions Consultant @ SailPoint | Technical Sales Cycle Delivery
IdentityNow integration series
Third time is the charm! :) This time I'm going to talk about a neat trick to enforce least privilege principle for movers. It could also be used for leavers or in emergency situations where you want to strip all ad-hoc access from an identity. Keep in mind this will take care of access granted by request or aggregation, not policy. Policy-based access, basically role assignments, needs to be taken care of by making the identity not match whatever criteria you defined on the role. This is generally best managed by adding a lifecycle state criterion to it and syncing that lifecycle change with whatever process triggers this integration.
Let's get to it.
Revoke previous access for movers
Description
This ETS integration will create an auto-revoke micro-certification after an identity change. Some customers or prospects, in order to implement a least privilege strategy and avoid users keeping permissions when changing roles in the company, want movers to start their new cycle with a clean slate. This workflow helps removing any previously requested permissions from a mover and keep track of that removal as well. It’s implemented using an identity attribute change trigger that will create a micro-certification with auto-revoke enabled, so we can immediately expire it and complete it in order to remove any possible permission.
Prerequisites
Pipedream account and an IdentityNow tenant.
Limitations
Obviously, automatic role assignments are not revoked by the certification. If those were to go away, you’d need to leverage some LCS change strategy or identity attribute change on which automatic role assignment depends.
领英推荐
Configuration
1. Deploy this workflow on your Pipedream account (choose default type of trigger). Take note of the webhook url to set up your ETS subscription.
2. Configure the following variables using your tenant information and personal access token:
3. In IdentityNow, configure your new Identity Attributes Changed subscription similar to this( $.changes[?(!["triggerSnapshots", "cloudLifecycleState"] contains @.attribute)]):
This filter will pick up changes to any identity attribute and filter out internal updates. If you want to aim for a limited list of attributes, you could try something like:
$.changes[?(!["triggerSnapshots", "cloudLifecycleState"] contains @.attribute && ["department", "jobTitle"] contains @.attribute)]
This is JSONpath. If you need some help determining your filter, ping me.
You should be good to go. Now trigger an identity change for any identity with ad-hoc permissions assigned and wait for the micro-certification to appear.