AnsweredAssumed Answered

IGL 7.x - any control over removal of accounts and entitlements

Question asked by Andy Cheek on Sep 13, 2019
Latest reply on Sep 24, 2019 by Andy Cheek

Like • Show 0 Likes0
Comment • 2

Slightly vague question title (apologies) but essentially the scenario is as follows:

User has an account A for application X, with multiple associated entitlements (E1, E2, E3, etc.)
The user's Access page will list the account AND the entitlements, all with Remove buttons next to them
Line Manager comes in and selects to remove the account (A) and SOME of the associated entitlements (E2 & E3)
This leaves E1 (at least) as NOT removed

This doesn't make sense - if you want to remove the account then surely ALL the entitlements should be removed as well; if you want to remove only SOME of the entitlements then you wouldn't want the account to be removed.

I don't believe IGL makes any attempt to detect, prevent or even warn the end user about this apparent inconsistency, so how do people get round it?

What options/approaches has anyone adopted to try and make sense of this kind of scenario?

No one else has this question

Outcomes

Mostafa Helmy

Sep 13, 2019 8:11 AM

The out-of-the-box User access tab changes are quite simple and there isn't really any way to restrict what you can or cannot do.

Usually I've seem most people disable the ability to request access changes directly from the User's access tab (Requests > Configuration > Settings > "Allow access changes on a user's detail Access tab”), then create specific Request forms to allow only the actions that you want.

Actions

Andy Cheek @ Mostafa Helmy on Sep 24, 2019 8:45 AM

Thanks Mostafa Helmy.

Still not convinced. Changing that setting has no impact on the Change Access option, which is essentially the same, i.e. select a user, have all that user's access displayed and add/remove to ones heart's content.

I'm also struggling to see how we could create a request form that behaved in a similar fashion but without the option to remove accounts explicitly. Don't want a form that allows selection from everything (in case you want to add) and only highlights (or doesn't display) any right the user already has - it makes sense to work from the current and apply changes.

Currently we simply cancel any create/delete account changes, as the accounts themselves are either collected from AD (where associated groups are collected as application rights) and we cannot delete the AD account as part of access request OR the existence of an application account is determined from the existence (or not) of user entitlements with that account name, i.e. from our application feeds. We're looking to extend our AFX automation to support direct provisioning into some of those applications, where we WOULD need to retain the create/delete account changes otherwise the AFX fulfilment may not work (e.g. add brand new entitlements will require an account so we need to create one). We would be happy to have system-generated create/delete changes (i.e. new entitlements and no existing account or removing all entitlements so remove account as well) - what I want to be able to prevent is explicit Remove actions submitted against application accounts.

Maybe we have to get clever with our own filtering/cancelling logic.

Actions

2 Replies

Mostafa Helmy Sep 13, 2019 8:11 AM
Mark Correct
Correct Answer
The out-of-the-box User access tab changes are quite simple and there isn't really any way to restrict what you can or cannot do.

Usually I've seem most people disable the ability to request access changes directly from the User's access tab (Requests > Configuration > Settings > "Allow access changes on a user's detail Access tab”), then create specific Request forms to allow only the actions that you want.
Like • Show 0 Likes0
Actions
- Andy Cheek @ Mostafa Helmy on Sep 24, 2019 8:45 AM
  Mark Correct
  Correct Answer
  Thanks Mostafa Helmy.
  
  Still not convinced. Changing that setting has no impact on the Change Access option, which is essentially the same, i.e. select a user, have all that user's access displayed and add/remove to ones heart's content.
  
  I'm also struggling to see how we could create a request form that behaved in a similar fashion but without the option to remove accounts explicitly. Don't want a form that allows selection from everything (in case you want to add) and only highlights (or doesn't display) any right the user already has - it makes sense to work from the current and apply changes.
  
  Currently we simply cancel any create/delete account changes, as the accounts themselves are either collected from AD (where associated groups are collected as application rights) and we cannot delete the AD account as part of access request OR the existence of an application account is determined from the existence (or not) of user entitlements with that account name, i.e. from our application feeds. We're looking to extend our AFX automation to support direct provisioning into some of those applications, where we WOULD need to retain the create/delete account changes otherwise the AFX fulfilment may not work (e.g. add brand new entitlements will require an account so we need to create one). We would be happy to have system-generated create/delete changes (i.e. new entitlements and no existing account or removing all entitlements so remove account as well) - what I want to be able to prevent is explicit Remove actions submitted against application accounts.
  
  Maybe we have to get clever with our own filtering/cancelling logic.
  Like • Show 0 Likes0
  Actions

IGL 7.x - any control over removal of accounts and entitlements

Outcomes

Related Content

Recommended Content