Revocations

Revocation is when an identity's entitlements are altered in the source application, to remove any entitlements that were marked by the access reviewer as needing to be revoked. Depending on the provisioning features in use, remediations may be processed manually or automatically. If automatic provisioning is enabled in your system for the relevant application, revocation of access can happen without any further action from the reviewer, as a consequence of an access review decision. If the relevant application does not have automated provisioning enabled, then remediation of that application's entitlements is managed by the creation of manual work items for the Application Revoker or Application Owner, requesting that they change the identity's access or permissions manually. IdentityIQ alerts the Application Revoker or Application Owner about the manual work item via an email message.

A Revocation phase can be enabled for the certification as part of the certification setup. Note that remediation of access occurs as a result of revocations in an access review whether or not a Revocation period is enabled. The difference is that when a Revocation period is enabled, IdentityIQ monitors the status of remediation requests; when it is not enabled, remediation requests are submitted for processing but are not tracked.

The purpose of the revocation phase is for the work of revoking access to be done, according to the access revisions that have been made. This means that once a revocation has been processed, an access reviewer can not change their decision for that item.

Configuration settings in the certification setup determine when the revocation is processed.

  • Immediate Revocation: If the Process Revokes Immediately option is selected, then revocation is considered to be processed as soon as a reviewer makes and saves a Revoke decision, and the decision can not be changed. Note that this does not affect Approve decisions; those can be changed even after saving, but if an Approve decision is change to Revoke and saved, it can no longer be changed.

  • Revocation during a revocation phase: The revocation phase is entered when a certification is signed off, or when the active and challenge phases have ended. Until the certification enters this phase, reviewers can make changes to their approve and revoke decisions (unless the Process Revokes Immediately option described above was selected for the certification). Once the certification is in this phase, reviewers can no longer change their decisions.