When an account is revoked in the account review, “delete an account” operation in AFX fulfillment is triggered automatically.
However, we would like to trigger “disable an account” operation instead
How can we configure it?
In an account review you can also enable "disable", "enable", "lock" and "unlock" buttons, this provides you with the functionality to have the account disabled rather then deleted
You should have ticked the "allow account disabling" on the application / directory
First of all thank you for your reply
A other question is how can disable revoke operation in this case we can see only maintain and disable operations in account review
I don't think that is possible
How about detecting in the workflow if the request origin is from a review and if it's Revoke account action, then do something but not Delete?
Not sure how to realize your suggestion. Consider below example. We have one Change Item "Delete Account X."
We can put a decision node and detect if the request contains "Delete Account" items but what next?
- How can we send "Disable Account X" to AFX fulfillment on the fly?
- Will the request not have any problem on passing "pending for verification" state since the "delete account" operation in the request will never been completed?
Yes, if not properly handled it might cause an issue with the verification phase.
I think the best approach here is to perform a regular training sessions for the reviewers and explain them what they are expected to do and which options in the review to click on. Also, you should add instructions in the review explaining that the revoke button should not be used.
But if the revoke option was still chosen, then consider cancelling this change item and use a provisioning node to disable the account or use the webservices to create a new change request to disable the account.
Is there any thing we can do to make it properly handled? Or is it something handled by VIA itself?
I think this should be considered for an RFE. We have the same issue and the tool should be customizable to hide the revoke button versus having to train tens of thousands of managers where some will inevitably click the wrong button.
Philip, you can raise a RFE in RSA Ideas for RSA Identity Governance & Lifecycle
You have my vote
Allow Revoke to be an optional Review State for Account Access and Ownership Reviews Please vote on this RFE idea.
Retrieving data ...