discord · eguerrant · Jun 25, 2025 · Jun 9, 2025 · Jun 9, 2025 · Jun 9, 2025
diff --git a/api/models/core_models.py b/api/models/core_models.py
@@ -40,6 +40,11 @@ class OktaUserGroupMember(db.Model):
 
     created_reason: Mapped[str] = mapped_column(db.Unicode(1024), nullable=False, default="", server_default="")
 
+    # This field is set to True when an owner chooses to not renew access in the Expiring Access workflow
+    should_expire: Mapped[bool] = mapped_column(
+        db.Boolean, nullable=False, server_default=expression.false(), default=False
+    )
+
     # See more details on specifying alternative join conditions for relationships at
     # https://docs.sqlalchemy.org/en/14/orm/join_conditions.html#specifying-alternate-join-conditions
     group: Mapped["OktaGroup"] = db.relationship(
@@ -455,6 +460,11 @@ class RoleGroupMap(db.Model):
 
     created_reason: Mapped[str] = mapped_column(db.Unicode(1024), nullable=False, default="", server_default="")
 
+    # This field is set to True when an owner chooses to not renew access in the Expiring Access workflow
+    should_expire: Mapped[bool] = mapped_column(
+        db.Boolean, nullable=False, server_default=expression.false(), default=False
+    )
+
     # See more details on specifying alternative join conditions for relationships at
     # https://docs.sqlalchemy.org/en/14/orm/join_conditions.html#specifying-alternate-join-conditions
     role_group: Mapped["RoleGroup"] = db.relationship(

diff --git a/api/operations/modify_group_users.py b/api/operations/modify_group_users.py
@@ -34,6 +34,8 @@ def __init__(
         users_added_ended_at: Optional[datetime] = None,
         members_to_add: list[str] = [],
         owners_to_add: list[str] = [],
+        members_should_expire: list[str] = [],
+        owners_should_expire: list[str] = [],
         members_to_remove: list[str] = [],
         owners_to_remove: list[str] = [],
         sync_to_okta: bool = True,
@@ -80,6 +82,22 @@ def __init__(
                 OktaUser.query.filter(OktaUser.id.in_(owners_to_add)).filter(OktaUser.deleted_at.is_(None)).all()
             )
 
+        self.members_should_expire = []
+        if len(members_should_expire) > 0:
+            self.members_should_expire = (
+                OktaUserGroupMember.query.filter(OktaUserGroupMember.id.in_(members_should_expire))
+                .filter(OktaUserGroupMember.ended_at > db.func.now())
+                .filter(OktaUserGroupMember.is_owner.is_(False))
+            ).all()
+
+        self.owners_should_expire = []
+        if len(owners_should_expire) > 0:
+            self.owners_should_expire = (
+                OktaUserGroupMember.query.filter(OktaUserGroupMember.id.in_(owners_should_expire))
+                .filter(OktaUserGroupMember.ended_at > db.func.now())
+                .filter(OktaUserGroupMember.is_owner.is_(True))
+            ).all()
+
         self.members_to_remove = []
         if len(members_to_remove) > 0:
             self.members_to_remove = (
@@ -114,8 +132,10 @@ async def _execute(self) -> OktaGroup:
         if (
             len(self.members_to_add)
             + len(self.members_to_remove)
+            + len(self.members_should_expire)
             + len(self.owners_to_add)
             + len(self.owners_to_remove)
+            + len(self.owners_should_expire)
             == 0
         ):
             return self.group
@@ -160,8 +180,10 @@ async def _execute(self) -> OktaGroup:
                     "group": self.group,
                     "owners_removed_ids_emails": self.owners_to_remove,
                     "owners_added_ids_emails": self.owners_to_add,
+                    "owners_should_expire_user_id_group_id": self.owners_should_expire,
                     "members_removed_ids_emails": self.members_to_remove,
                     "members_added_ids_emails": self.members_to_add,
+                    "members_should_expire_user_id_group_id": self.members_should_expire,
                 }
             )
         )
@@ -350,6 +372,28 @@ async def _execute(self) -> OktaGroup:
         # Commit all changes so far
         db.session.commit()
 
+        # Mark relevant OktaUserGroupMembers as 'Should expire'
+        # Only relevant for the expiring groups page so not adding checks for this field anywhere else since OK if marked to expire
+        # then manually renewed from group page or with an access request
+        if len(self.members_should_expire) > 0:
+            OktaUserGroupMember.query.filter(
+                OktaUserGroupMember.id.in_(m.id for m in self.members_should_expire)
+            ).update(
+                {OktaUserGroupMember.should_expire: True},
+                synchronize_session="fetch",
+            )
+
+        if len(self.owners_should_expire) > 0:
+            OktaUserGroupMember.query.filter(
+                OktaUserGroupMember.id.in_(m.id for m in self.owners_should_expire)
+            ).update(
+                {OktaUserGroupMember.should_expire: True},
+                synchronize_session="fetch",
+            )
+
+        # Commit all changes so far
+        db.session.commit()
+
         # Add new group members and group owners and add them to Okta
         if len(self.members_to_add) > 0 or len(self.owners_to_add) > 0:
             group_memberships_added: Dict[str, Dict[str, OktaUserGroupMember]] = {self.group.id: {}}

diff --git a/api/operations/modify_role_groups.py b/api/operations/modify_role_groups.py
@@ -33,6 +33,8 @@ def __init__(
         groups_added_ended_at: Optional[datetime] = None,
         groups_to_add: list[str] = [],
         owner_groups_to_add: list[str] = [],
+        groups_should_expire: list[str] = [],
+        owner_groups_should_expire: list[str] = [],
         groups_to_remove: list[str] = [],
         owner_groups_to_remove: list[str] = [],
         sync_to_okta: bool = True,
@@ -76,6 +78,22 @@ def __init__(
                 .all()
             )
 
+        self.groups_should_expire = []
+        if len(groups_should_expire) > 0:
+            self.groups_should_expire = (
+                RoleGroupMap.query.filter(RoleGroupMap.id.in_(groups_should_expire))
+                .filter(RoleGroupMap.ended_at > db.func.now())
+                .filter(RoleGroupMap.is_owner.is_(False))
+            ).all()
+
+        self.owner_groups_should_expire = []
+        if len(owner_groups_should_expire) > 0:
+            self.owner_groups_should_expire = (
+                RoleGroupMap.query.filter(RoleGroupMap.id.in_(owner_groups_should_expire))
+                .filter(RoleGroupMap.ended_at > db.func.now())
+                .filter(RoleGroupMap.is_owner.is_(True))
+            ).all()
+
         self.groups_to_remove = []
         if len(groups_to_remove) > 0:
             self.groups_to_remove = (
@@ -113,8 +131,10 @@ async def _execute(self) -> RoleGroup:
         if (
             len(self.groups_to_add)
             + len(self.groups_to_remove)
+            + len(self.groups_should_expire)
             + len(self.owner_groups_to_add)
             + len(self.owner_groups_to_remove)
+            + len(self.owner_groups_should_expire)
             == 0
         ):
             return self.role
@@ -160,8 +180,10 @@ async def _execute(self) -> RoleGroup:
                     "groups_added_ending_at": self.groups_added_ended_at,
                     "owner_groups_removed_ids_names": self.owner_groups_to_remove,
                     "owner_groups_added_ids_names": self.owner_groups_to_add,
+                    "owner_groups_should_expire_role_id_group_id": self.owner_groups_should_expire,
                     "groups_removed_ids_names": self.groups_to_remove,
                     "groups_added_ids_names": self.groups_to_add,
+                    "groups_should_expire_role_id_group_id": self.groups_should_expire,
                 }
             )
         )
@@ -249,6 +271,24 @@ async def _execute(self) -> RoleGroup:
                         # https://help.okta.com/en-us/Content/Topics/identity-governance/group-owner.htm
                         async_tasks.append(asyncio.create_task(okta.async_remove_owner_from_group(group_id, owner_id)))
 
+        # Mark relevant role memberships and ownerships as 'Should expire'
+        # Only relevant for the expiring roles page so not adding checks for this field anywhere else since OK if marked to expire
+        # then manually renewed from group/role page or with an access request
+        if len(self.groups_should_expire) > 0:
+            RoleGroupMap.query.filter(RoleGroupMap.id.in_(m.id for m in self.groups_should_expire)).update(
+                {RoleGroupMap.should_expire: True},
+                synchronize_session="fetch",
+            )
+
+        if len(self.owner_groups_should_expire) > 0:
+            RoleGroupMap.query.filter(RoleGroupMap.id.in_(m.id for m in self.owner_groups_should_expire)).update(
+                {RoleGroupMap.should_expire: True},
+                synchronize_session="fetch",
+            )
+
+        # Commit all changes so far
+        db.session.commit()
+
         # Add new groups to role and owner groups to role
         if len(self.groups_to_add) > 0 or len(self.owner_groups_to_add) > 0:
             role_memberships_added: Dict[str, RoleGroupMap] = {}

diff --git a/api/swagger.json b/api/swagger.json
@@ -966,6 +966,10 @@
           "type": "string",
           "x-nullable": true
         },
+        "should_expire": {
+          "readOnly": true,
+          "type": "boolean"
+        },
         "created_reason": {
           "maxLength": 1024,
           "readOnly": true,
@@ -1217,6 +1221,10 @@
           "readOnly": true,
           "type": "string"
         },
+        "should_expire": {
+          "readOnly": true,
+          "type": "boolean"
+        },
         "id": {
           "readOnly": true,
           "type": "integer"
@@ -1795,6 +1803,12 @@
             "required": false,
             "type": "boolean"
           },
+          {
+            "in": "query",
+            "name": "needs_review",
+            "required": false,
+            "type": "boolean"
+          },
           {
             "in": "query",
             "name": "app_owner",
@@ -1901,6 +1915,12 @@
             "required": false,
             "type": "boolean"
           },
+          {
+            "in": "query",
+            "name": "needs_review",
+            "required": false,
+            "type": "boolean"
+          },
           {
             "in": "query",
             "name": "managed",

diff --git a/api/syncer.py b/api/syncer.py
@@ -414,6 +414,7 @@ def expiring_access_notifications_user() -> None:
         .join(OktaUserGroupMember.active_group)
         .filter(db.and_(OktaUserGroupMember.ended_at >= day, OktaUserGroupMember.ended_at < next_day))
         .filter(OktaUserGroupMember.role_group_map_id.is_(None))
+        .filter(OktaUserGroupMember.should_expire.is_(False))
         .all()
     )
 
@@ -455,6 +456,7 @@ def expiring_access_notifications_user() -> None:
         .join(OktaUserGroupMember.active_group)
         .filter(db.and_(OktaUserGroupMember.ended_at >= day, OktaUserGroupMember.ended_at < next_day))
         .filter(OktaUserGroupMember.role_group_map_id.is_(None))
+        .filter(OktaUserGroupMember.should_expire.is_(False))
         .all()
     )
 
@@ -516,6 +518,7 @@ def expiring_access_notifications_owner() -> None:
         .join(OktaUserGroupMember.active_group)
         .filter(db.and_(OktaUserGroupMember.ended_at >= day, OktaUserGroupMember.ended_at < next_week))
         .filter(OktaUserGroupMember.role_group_map_id.is_(None))
+        .filter(OktaUserGroupMember.should_expire.is_(False))
         .all()
     )
 
@@ -555,6 +558,7 @@ def expiring_access_notifications_owner() -> None:
         .join(OktaUserGroupMember.active_group)
         .filter(db.and_(OktaUserGroupMember.ended_at >= one_week, OktaUserGroupMember.ended_at < two_weeks))
         .filter(OktaUserGroupMember.role_group_map_id.is_(None))
+        .filter(OktaUserGroupMember.should_expire.is_(False))
         .all()
     )
 
@@ -624,6 +628,7 @@ def expiring_access_notifications_owner() -> None:
         .join(RoleGroupMap.active_role_group.of_type(role_group_alias))
         .join(RoleGroupMap.active_group)
         .filter(db.and_(RoleGroupMap.ended_at >= day, RoleGroupMap.ended_at < next_week))
+        .filter(RoleGroupMap.should_expire.is_(False))
         .all()
     )
 
@@ -658,6 +663,7 @@ def expiring_access_notifications_owner() -> None:
         .join(RoleGroupMap.active_role_group.of_type(role_group_alias))
         .join(RoleGroupMap.active_group)
         .filter(db.and_(RoleGroupMap.ended_at >= one_week, RoleGroupMap.ended_at < two_weeks))
+        .filter(RoleGroupMap.should_expire.is_(False))
         .all()
     )
 

diff --git a/api/views/resources/audit.py b/api/views/resources/audit.py
@@ -286,6 +286,11 @@ def get(self) -> ResponseReturnValue:
                         OktaUserGroupMember.ended_at < db.func.now(),
                     )
                 )
+        if "needs_review" in search_args:
+            if search_args["needs_review"]:
+                query = query.filter(
+                    OktaUserGroupMember.should_expire.is_(False),
+                )
 
         if "direct" in search_args:
             if search_args["direct"]:
@@ -332,6 +337,7 @@ def get(self) -> ResponseReturnValue:
                     "ended_at",
                     "created_reason",
                     "is_owner",
+                    "should_expire",
                     "access_request.id",
                     "user.id",
                     "user.created_at",
@@ -600,6 +606,11 @@ def get(self) -> ResponseReturnValue:
                         RoleGroupMap.ended_at < db.func.now(),
                     )
                 )
+        if "needs_review" in search_args:
+            if search_args["needs_review"]:
+                query = query.filter(
+                    RoleGroupMap.should_expire.is_(False),
+                )
 
         return paginate(
             query,
@@ -611,6 +622,7 @@ def get(self) -> ResponseReturnValue:
                     "ended_at",
                     "created_reason",
                     "is_owner",
+                    "should_expire",
                     "group.deleted_at",
                     "group.id",
                     "group.type",

diff --git a/api/views/resources/group.py b/api/views/resources/group.py
@@ -338,6 +338,8 @@ def put(self, group_id: str) -> ResponseReturnValue:
             users_added_ended_at=user_changes.get("users_added_ending_at"),
             members_to_add=user_changes["members_to_add"],
             owners_to_add=user_changes["owners_to_add"],
+            members_should_expire=user_changes.get("members_should_expire", []),
+            owners_should_expire=user_changes.get("owners_should_expire", []),
             members_to_remove=user_changes["members_to_remove"],
             owners_to_remove=user_changes["owners_to_remove"],
             created_reason=user_changes.get("created_reason", ""),

diff --git a/api/views/resources/role.py b/api/views/resources/role.py
@@ -215,6 +215,8 @@ def put(self, role_id: str) -> ResponseReturnValue:
             groups_added_ended_at=group_changes.get("groups_added_ending_at"),
             groups_to_add=group_changes["groups_to_add"],
             owner_groups_to_add=group_changes["owner_groups_to_add"],
+            groups_should_expire=group_changes.get("groups_should_expire", []),
+            owner_groups_should_expire=group_changes.get("owner_groups_should_expire", []),
             groups_to_remove=group_changes["groups_to_remove"],
             owner_groups_to_remove=group_changes["owner_groups_to_remove"],
             created_reason=group_changes.get("created_reason", ""),

diff --git a/api/views/schemas/audit_logs.py b/api/views/schemas/audit_logs.py
@@ -6,8 +6,10 @@
 from api.views.schemas.core_schemas import (
     AccessRequestSchema,
     AppSchema,
+    OktaUserGroupMemberSchema,
     OktaUserSchema,
     PolymorphicGroupSchema,
+    RoleGroupMapSchema,
     RoleGroupSchema,
     RoleRequestSchema,
     TagSchema,
@@ -50,15 +52,27 @@ class AuditLogSchema(Schema):
     group_owners = fields.List(fields.Nested(OktaUserSchema,  "email")))
     owners_removed_ids_emails = fields.List(fields.Nested(OktaUserSchema,  "email")))
     owners_added_ids_emails = fields.List(fields.Nested(OktaUserSchema,  "email")))
+    owners_should_expire_user_id_group_id = fields.List(
+        fields.Nested(OktaUserGroupMemberSchema,  "group_id"))
+    )
     members_removed_ids_emails = fields.List(fields.Nested(OktaUserSchema,  "email")))
     members_added_ids_emails = fields.List(fields.Nested(OktaUserSchema,  "email")))
+    members_should_expire_user_id_group_id = fields.List(
+        fields.Nested(OktaUserGroupMemberSchema,  "group_id"))
+    )
 
     role = fields.Nested(RoleGroupSchema,  "name"))
     groups_added_ending_at = fields.DateTime()
     owner_groups_removed_ids_names = fields.List(fields.Nested(RoleGroupSchema,  "name")))
     owner_groups_added_ids_names = fields.List(fields.Nested(RoleGroupSchema,  "name")))
+    owner_groups_should_expire_role_id_group_id = fields.List(
+        fields.Nested(RoleGroupMapSchema,  "group_id"))
+    )
     groups_removed_ids_names = fields.List(fields.Nested(RoleGroupSchema,  "name")))
     groups_added_ids_names = fields.List(fields.Nested(RoleGroupSchema,  "name")))
+    groups_should_expire_role_id_group_id = fields.List(
+        fields.Nested(RoleGroupMapSchema,  "group_id"))
+    )
 
     request = fields.Nested(
         AccessRequestSchema,