Shine a light on shadow apps

ConductorOne Docs

Configure entitlement revocation settings

Use the access changes settings on an entitlement's details page to configure how requests to revoke the entitlement will be reviewed.

How revocation happens in ConductorOne

An account’s access to an entitlement can be revoked in three ways:

  1. When the account owner’s manager, the application owner, or the entitlement owner clicks Revoke on either the resource’s Grants tab or on the entitlement’s Grants tab to create a revocation task. This type of revocation can happen at any time and isn’t tied to an access review campaign.

  2. When the account’s access to the entitlement is reviewed and denied during an access review campaign, the revocation task is automatically created if the review policy used includes a revocation followup step.

  3. When the account’s access to the entitlement is reviewed and denied during an access review campaign, but the review policy used does not include a revocation followup step, the Campaign Owner can manually create a revocation task.

In all three of these cases, creating a revocation task kicks off a revocation workflow as defined in the revocation policy set on the entitlement or application. The workflow will first assign a revocation approval task to the appropriate reviewer (if required) and then will create a deprovisioning task, which might be automatic or manual. If deprovisioning is manual, it will be assigned to the app owner for deprovisioning.

Set a revocation policy for the entitlement

ConductorOne applies revocation policies using this order of precedence:

  1. The entitlement’s configuration
  2. The application’s configuration

In other words, if a revocation policy is set on the entitlement, it overrules the policy set on the application.

If you want to make sure this entitlement uses a specific revocation policy, set it on the entitlement. If the entitlement can be revoked using the policy set on its application (as set by default), you do not need to set an entitlement-level revocation policy.

To learn more about creating custom revoke policies, go to Create policies.

To set a revocation policy for the entitlement:

  1. In the navigation panel, open Apps and click Applications.

  2. Select an application and click Entitlements.

  3. Select an entitlement. On the Details tab, in the Access changes area of the page, click Edit.

  4. Use the Revocation policy dropdown to locate and select the policy that this entitlement should use.

  5. Click Save.

The entitlement’s revoke policy is set. This policy will be used whenever access to this entitlement is flagged for revocation, either during an access review campaign or when a ConductorOne admin revokes the access directly on the Grants tab.

Entitlement bindings and revocation

Entitlements can be bound to each other. There are two types of bindings: Incoming (one entitlement is granted by another entitlement) or Outgoing (one entitlement entitlement grants another entitlement).

To view any bindings in effect, click the Bindings tab on the entitlement’s details page.

Revoke an account’s access to an entitlement

You can directly revoke an account’s access to the entitlement from the entitlement’s Grants tab.

A user with the Super Admin role in ConductorOne, the application owner, the entitlement owner, or the direct manager of the account owner can perform this task. Anyone who does not have the Super Admin role or one of these relationships with the account will see an error if they attempt to revoke access this way.

  1. In the navigation panel, open Apps and click Applications.

  2. Navigate to an entitlement:

    • Click the application’s name
    • Click the Entitlements tab
    • Locate the entitlement and click its name

  3. Click Grants to view the accounts that currently have access to this entitlement.

  4. To remove the account’s access to the entitlement, click Revoke. A Revoke access modal opens.

  5. Enter your reason for revoking the access and click Revoke.

    Will the access be removed immediately? Maybe. Depending on the revocation policy governing the entitlement, the revocation might require review and approval before the entitlement is removed from the account.

The revocation task is created. Once any required review and approval steps have been completed, the access will be removed from the account using the deprovisioning strategy you chose.