Removing Access
Access can be deprovisioned automatically after the duration specified when creating the request, or it can be terminated early by the Owner, Requestor, Approver, or Administrator.
Access Risk Management runs an additional validation check after the ERP system provides a successful deprovisioning response to ensure that all access has been successfully removed. If access is not successfully deprovisioned, you can resolve errors and restart the deprovisioning.
Terminating Access Early
If a Requestor has finished their work early, or an Owner, Approver or Administrator want to revoke access before the scheduled end date of the request, they can manually terminate the elevated access early.
Users can go to the Active tab of the EAM Dashboard, expand the Actions menu next to the request, and select Terminate Access.
This will immediately revoke the Requestors' access to the elevated entitlements and Access Risk Management will begin collecting usage data. The data collection progress is displayed on the Data Collection tab of the EAM Dashboard.
Resolving Deprovisioning Errors
An Approver, Owner, or Administrator can restart the deprovisioning process by expanding the Actions menu and selecting Restart Deprovisioning. If deprovisioning continues to fail, contact your ERP system security administrators to identify and resolve the cause of the deprovisioning error.
When an automated deprovisioning attempt fails, the request is flagged as faulted and EAM profile Attestors are notified by email to certify that access was successfully deprovisioned.
Attesting Removed Access
If a review must be completed before the cause of the deprovisioning error is resolved, Attestors serve as an emergency backup to provide a manual confirmation that the Requestor used the access appropriately.
They can also attest that no access was used if a utilization extract is blank.
When a deprovisioning error occurs, Attestors will:
-
Go to the Active tab of the EAM Dashboard.
-
Select the Actions menu next to the request.
-
Select Attest Deprovisioning
-
Submit a comment with an attachment to use as audit evidence that deprovisioning occurred. This step is mandatory to ensure an accurate request duration is recorded.
Documentation Feedback
Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.