Data policy to act when an assigned permission is coming to an end,

Hi,

We would like to have a data policy that notifies the enduser that their assigned permission are soon to be ended (7 days prior to enddate).

I started with a policy as below and although I now for sure that I have assigned permissions with an enddate it doesn't show up while pressing "estimate impact". 

Any help would be appreciated!

Best regards

Andreas

  • 0  

    Does your AD collector pull in the enddate value from AD and store it in the Assignment End Time attribute?    I don't think I've seen AD store that before, so how are you getting that value?   Does this value show in your catalog after collection?  Can you see it with an insight query?

    --Jim

  • 0 in reply to   

    I thought that there would be a way to accomplish this by asking IGA directly and not by storing the information in the AD?

    Regards

    Andreas

  • 0   in reply to 

    Ahhh, I don't think you can only store that data in IG.   The data policies all work by evaluating the collection or the publish of data to the catalog, and are entirely tied to data pulled in.   

    Separately during a request of new access you can set a sunset time, or an end time for when access will be removed, but this is setting up a future fulfillment item to remove that access at a date.  THAT future fulfillment is stored in IG if you are using that feature, but I don't think there is a way to review or act upon it in a data policy.  The fulfillment is separate from the catalog where it knows the user has been assigned the perm.  In the perm assignment I think there is an out-of-box attribute for sunsetting, or end dating the perm, however I haven't seen an instance outside of HR systems where its pulled in.

    I really like this idea though, and I'll suggest that you add it to the idea exchange.  The developers review that frequently and add suggestions into the product periodically.    You *might* be able to do something with insight queries and metrics to at least have visibility, but I don't think you'll be able to use data policies to react at this time.

    --Jim

  • 0   in reply to   

    Apart from this working in policies or not, shouldn't the logic be:

    assignment_end_time < current_time + 7 days && assignment_end_time > current_time

    ?