IC SunsetThe developerWorks Connections platform will be sunset on December 31, 2019. On January 1, 2020, this forum will no longer be available. More details available on our FAQ.
Topic
  • 4 replies
  • Latest Post - ‏2018-04-25T12:20:21Z by DominikP
DominikP
DominikP
5 Posts

Pinned topic Time role [ISIM 7]

‏2018-04-16T11:42:10Z | period role time

I have customer question about having ability to give usser role for specific period of time. Generally the requirement is to automatically pick up role and access after some specific time. User could have several such roles. I'm looking for available options.

Right now it is not specified how to obtain time period. I'm thinking about obtaining this information during request for access. Next at the approval workflow for role or account (possible to request role without account) set some date/time attribute with value based on time period information and approval date. After that periodically run life cycle rule only for users with those specific roles and comparing date/time attribute with current date, and finally suspending account and picking up role.

First problem is with time period - it's possible that customer would like to have option to grant role only for a couple of hours. The period for LCR would be quite short.

Second is I'm newbie and don't know where to start and in which object set timestamp. Person or account. Because it is possible to have multiple time roles it would be better to set this parameter in account related to role?

Any suggestions how to best fulfill customer requirements? Is it possible to obtain this without LCR?

  • yn2000
    yn2000
    1133 Posts
    ACCEPTED ANSWER

    Re: Time role [ISIM 7]

    ‏2018-04-18T18:01:09Z  

    How about...

    Process #1: someone creates a ticket request mentioning 'when it start and when it finish' (outside of ISIM)

    Process #2: the administrator/approver go to ISIM console and grant (and revoke) the role using future schedule feature. Meaning that, based on the ticket data, the administrator/approver create two requests in ISIM Console, one for grant (add) role and one for revoke (delete) role on scheduled time, where all features are available in ISIM console by default.

    Rgds. YN.

     

  • yn2000
    yn2000
    1133 Posts
    ACCEPTED ANSWER

    Re: Time role [ISIM 7]

    ‏2018-04-18T21:14:07Z  
    • DominikP
    • ‏2018-04-18T18:26:30Z

    Thanks for your suggestion. It is some idea but it is not automatic unfortunately. Client want this feature but it is needed to work automatic or in some schedule.

    In this case it would be nice to customize form to add expiration time/date attribute but as far as I know it is only possible for account requesting.

    OK, here is my argument...
    In your first post, you mentioned that approval process is required, which assumed that someone need to (task#1) approve the role and the effective date, then (task#2) approve the expire date. I am proposing the same number of tasks, isn't it? 
    OK, maybe not a good argument, but AFAIK, you need LCR to have some sort of automatic revocation of the role, and then, you are planning to run the LCR every hour to allow granting a role only for a couple of hours?
    Comments: Depending how the LCR was designed, LCR may accumulate old data that you do not want to process. For example: Jane Doe's role was revoked yesterday. Then, every hour the LCR will check (LDAP read) Jane Doe's account again and again to find out whether the expire date is 'still' within the filter. 
    Devil advocate: I would still use LCR, but I would design to run on daily basis.

    Rgds. YN.

  • yn2000
    yn2000
    1133 Posts

    Re: Time role [ISIM 7]

    ‏2018-04-18T18:01:09Z  

    How about...

    Process #1: someone creates a ticket request mentioning 'when it start and when it finish' (outside of ISIM)

    Process #2: the administrator/approver go to ISIM console and grant (and revoke) the role using future schedule feature. Meaning that, based on the ticket data, the administrator/approver create two requests in ISIM Console, one for grant (add) role and one for revoke (delete) role on scheduled time, where all features are available in ISIM console by default.

    Rgds. YN.

     

  • DominikP
    DominikP
    5 Posts

    Re: Time role [ISIM 7]

    ‏2018-04-18T18:26:30Z  

    Thanks for your suggestion. It is some idea but it is not automatic unfortunately. Client want this feature but it is needed to work automatic or in some schedule.

    In this case it would be nice to customize form to add expiration time/date attribute but as far as I know it is only possible for account requesting.

  • yn2000
    yn2000
    1133 Posts

    Re: Time role [ISIM 7]

    ‏2018-04-18T21:14:07Z  
    • DominikP
    • ‏2018-04-18T18:26:30Z

    Thanks for your suggestion. It is some idea but it is not automatic unfortunately. Client want this feature but it is needed to work automatic or in some schedule.

    In this case it would be nice to customize form to add expiration time/date attribute but as far as I know it is only possible for account requesting.

    OK, here is my argument...
    In your first post, you mentioned that approval process is required, which assumed that someone need to (task#1) approve the role and the effective date, then (task#2) approve the expire date. I am proposing the same number of tasks, isn't it? 
    OK, maybe not a good argument, but AFAIK, you need LCR to have some sort of automatic revocation of the role, and then, you are planning to run the LCR every hour to allow granting a role only for a couple of hours?
    Comments: Depending how the LCR was designed, LCR may accumulate old data that you do not want to process. For example: Jane Doe's role was revoked yesterday. Then, every hour the LCR will check (LDAP read) Jane Doe's account again and again to find out whether the expire date is 'still' within the filter. 
    Devil advocate: I would still use LCR, but I would design to run on daily basis.

    Rgds. YN.

  • DominikP
    DominikP
    5 Posts

    Re: Time role [ISIM 7]

    ‏2018-04-25T12:20:21Z  
    • yn2000
    • ‏2018-04-18T21:14:07Z

    OK, here is my argument...
    In your first post, you mentioned that approval process is required, which assumed that someone need to (task#1) approve the role and the effective date, then (task#2) approve the expire date. I am proposing the same number of tasks, isn't it? 
    OK, maybe not a good argument, but AFAIK, you need LCR to have some sort of automatic revocation of the role, and then, you are planning to run the LCR every hour to allow granting a role only for a couple of hours?
    Comments: Depending how the LCR was designed, LCR may accumulate old data that you do not want to process. For example: Jane Doe's role was revoked yesterday. Then, every hour the LCR will check (LDAP read) Jane Doe's account again and again to find out whether the expire date is 'still' within the filter. 
    Devil advocate: I would still use LCR, but I would design to run on daily basis.

    Rgds. YN.

    Ok, looking at it this way is not a bad argument and the solution is acceptable. Thanks again for the explanation!

    Maybe I do not understand it yet, but I miss ISIM's ability to request for roles through the acceptance process using some of my own data collection form ... by default.