Automating Access Revocation
Understanding the Need for Automated Access Revocation
When provisioning application access or entitlements to users, administrators typically specify an "account access revoke date" — the date when access should be terminated. However, without automation, expired accounts and entitlements often remain active because:
- Manual revocation processes are time-consuming.
- IT teams lack visibility into expiration dates across systems.
- The volume of expirations makes timely revocation difficult.
IDHub's automation feature addresses these challenges by systematically identifying and revoking expired access without human intervention.
Use Case
Imagine this scenario: Your organization has just failed a security audit because dozens of contractor accounts remained active months after their projects ended. Your security team is overwhelmed with manually tracking and revoking expired access rights across multiple systems. This not only creates security vulnerabilities but also puts you at risk of compliance violations.
Another scenario: Acme Corp contracts seasonal workers who require limited-time access to internal systems. Each contractor’s account is provisioned with an Account Access Revoke Date matching the end of their assignment. Manually tracking and revoking their access at the end of the contract can be time-consuming and prone to errors.
This is where IDHub's "Revoke Account/Entitlement on Time Expiry" automation comes to the rescue. This powerful out-of-the-box automation feature automatically revokes accounts and entitlements when they reach their predefined expiration date, eliminating manual intervention and ensuring timely access removal. Managing the expiry of accounts and entitlements is vital for maintaining the principle of least privilege, where users have only the access necessary and only for as long as needed. This is particularly important for temporary workers, contractors, or employees changing roles within the organization.
How the Automation Works
The "Revoke Account/Entitlement on Time Expiry" automation:
- Runs on a schedule you define (default: daily at 12:00 AM GMT).
- Identifies all accounts and entitlements that have passed their "access revoke date".
- Automatically triggers the revocation process for these expired items.
Enable and Configure Automation
The automation comes pre-configured but disabled by default. Before customizing, the automation must be enabled, follow these detailed steps to enable and begin configuring the automation:
- Log in to IDHub Tenant: Use an administrator account.
- Navigate to the IDHub Admin App.
- Select Automations from the navigation menu.
- Scroll to the Revoke Account/Entitlement on Time Expiry entry in the Automation Library. By default, this rule is Disabled.
- Click on the Three dots menu and the Click Enable.
Why? Enabling activates this out‑of‑the‑box automation so it can execute according to your custom schedule and settings.
- Click the Edit (✎) icon to configure the automation.
Configuration Steps
Step 1: Customizing Basic Details
The Basic Details screen lets you document and manage automation's fundamental settings:
- Rule Name (read‑only): Pre‑configured as
Revoke Account/Entitlement on Time Expiryand cannot be changed. - Tags: Add searchable keywords (e.g.,
compliance,expiry) to quickly locate the rule in large environments. - Description: Provide a clear summary, such as:
“Automatically revokes any user account or entitlement whose access revoke date has passed.”
Tip: Detailed descriptions and proper tagging for the automation improve governance and auditing.
- Rule Owner: Assign an administrator who receives notifications about success or failure.
- Notification:
- Notify on error: Owner is alerted only if the automation fails.
- Notify on run: Owner is alerted every time the automation executes.
- Do not notify: No notifications sent.
- Click Next to proceed.
Step 2: Confirm the Trigger
On the "Choose a Trigger" screen:
- The Schedule trigger is pre-selected (this automation runs based on time).
- Click Next to proceed to schedule configuration.
Step 3: Set the Schedule
On the Schedule configuration screen:
- Default setting: Daily at 12:00 AM GMT, with no end date.
- You can modify:
- Frequency: Daily (default), Hourly, or Monthly —pick based on how often you expect expirations.
- Repeat: Enter how many times the automation needs to run based on the frequency that you have selected.
- Time:
- Select TimeZone: Select the timezone from the drop-down.
- Select Time: Enter the time, when the automation should run.
- Duration: Add an end date or keep it running indefinitely.
Why schedule? Regular runs ensure that any accounts or entitlements whose revoke date has just passed get cleaned up promptly.
Step 4: Configure Data and Conditions (Optional)
The next screens allow you to:
- Add data to payload: Skip this unless you need to add custom data.
- Add predicate: Skip this unless you need specific conditional logic.
These screens can typically be skipped for this particular automation.
Step 5: Confirm the Operation
On the "Choose an Operation" screen:
- Revoke expired accounts is pre-selected.
- This is the service request that will execute according to your schedule to revoke any account or entitlement past its revoke date.
Note: The pre‑configured "Choose an Operation" screen requires no additional field mapping; it automatically leverages each object’s Account Access Revoke Date.
Step 6: Select Beneficiary and Save
On the final screen:
- Choose who will be listed as the beneficiary of this automated request.
- Click the Save button to finalize your configuration.
Ending Notes
Implementing the "Revoke Account/Entitlement on Time Expiry" automation delivers multiple advantages:
- Enhanced security: Eliminates potential security gaps from lingering access.
- Automated compliance: Guarantees that expired access is revoked immediately after the designated date.
- Operational efficiency: Frees IT staff from repetitive manual revocation tasks.
- Risk reduction: Minimizes the window between expiration and actual revocation.