Announcing Unified Identity Governance

ConductorOne docs

Automate onboarding & offboarding access changes

Automatically create access profile enrollment or unenrollment requests for users who match (or no longer match) an enrollment rule. Ideal for onboarding, offboarding, and other cases when users are joining or leaving a team, role, or organization.

Who can use this feature? Available on ConductorOne plans that include Advanced access controls.

How do enrollment and unenrollment work?

An access profile is a resource in the ConductorOne app. When a user matches the membership condition on the access profile, a request task for the access profile’s enrollment entitlement is automatically created. When this request is approved, the user is enrolled in the access profile and automatically requests all of its access, all without either the user, their manager, or the IT team needing to create a single access request manually.

When the user no longer matches the membership condition on the access profile, a revocation task for the enrollment entitlement is automatically created. When this revocation is confirmed, the user is unenrolled from the access profile. You can configure the access profile to determine to what happens to the user’s access in this case (more on this below).

Are enrolled users immediately granted the full access profile?

It depends. When a user is assigned the enrollment entitlement for the access profile, a request task is created. Based on the request policy set on the access profile, the request for enrollment might be auto-approved, or it might need one or more human reviewers to sign off.

Once the user’s request for access to the enrollment entitlement is granted, ConductorOne will automatically create access request tasks for each item in the access profile. Based on the request policies on each individual entitlement, this access might be automatically approved, or it might require human intervention to approve and provision.

If an access profile contains only low-risk access, you can set the policies on the access profile itself and the entitlements within it to automatically approve these requests, essentially granting users who are enrolled in the access profile all of its access immediately.

What happens to access when a user is unenrolled?

Here too, it depends. When setting up the access profile, you have the option to determine whether some or all of the access included in the access profile is automatically revoked on unenrollment.

When a user is unenrolled from the access profile, a revocation task for the enrollment entitlement is created. Based on the revoke policy set on the access profile, the revocation might be auto-approved, or it might need one or more human reviewers to sign off.

Once revocation has been confirmed, ConductorOne will follow the rules set up in the access profile to determine what to do with the user’s access. The options here are:

  • Do nothing, and leave the access granted by the access profile as-is

  • Create revocation tasks for all entitlement granted by the access profile

  • Create revocation tasks for any entitlement granted by the access profile that the user does not also have access to via another access profile (these are called “unjustified” entitlements)

Based on the revoke policies on each individual entitlement and how the access profile is configured, access marked for revocation might be automatically revoked, or it might require human intervention to confirm the revocation and deprovision the access.

Set up access profile auto-enrollment and auto-unenrollment

  1. Follow the instructions in Create access profiles to set up an access profile and add the relevant entitlements. Make sure that Allow profile requests is enabled.

  2. Switch to the access profile’s Enrollment tab. In the Access controls area of the page, click Edit.

  3. In the Profile enrollment section of the page:

    1. Select the approval policy that will be used for this access profile’s enrollment entitlement.

      When a user is added to the access profile via membership automation, ConductorOne creates a request task for their access to the access profile’s enrollment entitlement. The user will not be added to the list of enrolled users until this request is approved.

      If you don’t set an approval policy here, the access profile will use the default policy set on the ConductorOne app.

    2. Once the user’s enrollment in the access profile has been approved, access request tasks are created for each entitlement in the access profile. Select whether these request tasks should apply the approval policy on their respective entitlements, or whether they can bypass the individual entitlements’ policies.

      In practice, choosing Bypass each entitlement’s approval policy means that approval of the access profile enrollment entitlement is understood as approval of the user gaining access to everything in the access profile, so individual requests for each entitlement are not needed.

  4. In the Profile unenrollment section of the page:

    1. Select the revocation policy that will be used for this access profile’s enrollment entitlement.

      When a user is removed from the access profile via membership automation, ConductorOne creates a revoke task for their access to the access profile’s enrollment entitlement. The user will not be removed from the list of enrolled users until this revocation is confirmed.

      If you don’t set a revocation policy here, the access profile will use the default policy set on the ConductorOne app.

    2. Set what to do with the access that has been granted by the access profile when a user is unenrolled. You can:

      • Leave the access as-is

      • Revoke all entitlements granted by the access profile

      • Revoke unjustified entitlements (these are the entitlements what the user was granted only by this access profile; any entitlements that are duplicated in other access profiles the user still has access to will not be revoked)

    3. Once the user’s unenrollment in the access profile has been confirmed, revocation tasks are created for any impacted entitlements in the access profile. Select whether these revoke tasks should apply the revoke policy on their respective entitlements, or whether they can bypass the individual entitlements’ policies.

      In practice, choosing Bypass each entitlement’s revoke policy means that confirmation of revoking the access profile enrollment entitlement is understood as approval of the user losing access to some or all of the entitlements in the , so individual requests for each entitlement are not needed.

  5. Click Save.

  6. In the Membership automation area of the page, click Edit.

  7. Membership automation will periodically sync to check if there are changes to the list of users who match the membership condition you set. Under Automation mode, select how to manage changes to the list of members:

    • Sync members only: Update the list of members but take no other action

    • Sync members and initiate access changes: Update the list of members and kick off enrollment or unenrollment actions

  8. Set the membership condition by selecting one or more entitlements from the dropdown. Users who are currently granted any of the entitlements you select will be enrolled in the access profile.

  9. If necessary, in the Excluded users box, add any users who should not be enrolled in this access profile, even if they currently have, or are later granted, the entitlements in the rule.

  10. If you’re ready to start using the membership automation, switch the Enabled toggle at the top of the page on.

    If you don’t want to start enrolling and unenrolling users immediately, leave the toggle disabled and save your progress. You can enable the membership automation whenever you’re ready.

  11. Click Save.

That’s it! Request tasks are immediately created for the users who match your membership automation condition. Users added to the exclusion list automatically request the access profile’s excluded from rule entitlement. While request tasks await approval, you’ll see a count of pending enrollments above the Members area of the screen. Click pending enrollments to see the pending users and jump to the open tasks.

If you need to manually add users to the access profile who do not match the membership automation condition, click Enroll users.

As request tasks are approved, users will be added to the Members area of the page, and ConductorOne will create access requests for the full contents of the access profile.

Frequently asked questions about access profile enrollment

How often does the auto-enrollment rule sync?

A new sync is kicked off each hour. Click Sync now to manually start a sync at any time.