Access Profile Ownership Transfer Workflow as part of separation

Identity Security Cloud (ISC) ISC Discussion and Questions
1

Hi,

When an access profiles owner leaves the company, we need to send a notification to a group (DL) that lists all the access profiles they were in charge of, their display name, and who their manager is. Below is the workflow that isn’t working, also need to know how to include the list in the send email action, please assist.

{

“name”: “Check Access Profile Ownership on Termination”,
“description”: “Iterates through access profiles when an identity is terminated, checks if they are an owner of any access profiles, and sends an email notification for each profile that needs an owner update”,
“definition”: {
“start”: “Get Identity”,
“steps”: {
“End Step - Success”: {
“actionId”: “sp:operator-success”,
“displayName”: “End Workflow”,
“type”: “success”
},
“Get Access”: {
“actionId”: “sp:access:get”,
“attributes”: {
“accessprofiles”: true,
“entitlements”: false,
“getAccessBy”: “specificIdentity”,
“identityToReturn.$”: “$.trigger.identity.id”,
“roles”: false
},
“displayName”: “Get Access Profiles”,
“nextStep”: “Loop Through Access Profiles”,
“type”: “action”,
“versionNumber”: 1
},
“Get Identity”: {
“actionId”: “sp:get-identity”,
“attributes”: {
“id.$”: “$.trigger.identity.id”
},
“displayName”: “Get Terminated Identity”,
“nextStep”: “Get Identity 1”,
“type”: “action”,
“versionNumber”: 2
},
“Get Identity 1”: {
“actionId”: “sp:get-identity”,
“attributes”: {
“id.$”: “$.getIdentity.managerRef.id”
},
“displayName”: “”,
“nextStep”: “Get Access”,
“type”: “action”,
“versionNumber”: 2
},
“Loop Through Access Profiles”: {
“actionId”: “sp :loop:iterator”,
“attributes”: {
“input.$”: “$.getAccess.accessItems”,
“loopInput.$”: “$.getAccess”,
“start”: “Send Email”,
“steps”: {
“End Loop”: {
“actionId”: “sp:operator-success”,
“displayName”: “End Loop”,
“type”: “success”
},
“Send Email”: {
“actionId”: “sp:send-email”,
“attributes”: {
“body”: “The access profile ‘${accessProfileName}’ (ID: ${accessProfileId} needs a new owner ‘${manager}’ as the current owner ‘${displayName}’ has been terminated.”,
“context”: {
“accessProfileId.$”: “$.loop.loopInput.id”,
“accessProfileName.$”: “$.loop.loopInput.name”,
“displayName.$”: “$.getIdentity.attributes.displayName”,
“manager.$”: “$.getIdentity1.attributes.displayName”
},
“recipientEmailList”: [
“123@test.org”
],
“subject”: “Access Profile Ownership Update Required”
},
“displayName”: “Send Notification Email”,
“nextStep”: “End Loop”,
“type”: “action”,
“versionNumber”: 2
}
}
},
“displayName”: “Iterate Through Access Profiles”,
“nextStep”: “End Step - Success”,
“type”: “action”,
“versionNumber”: 1
}
}
},
“enabled”: false,
“executionCount”: 2,
“failureCount”: 0,
“trigger”: {
“type”: “EVENT”,
“attributes”: {
“filter.$”: “$.changes[?(@.attribute == “cloudLifecycleState” && @.newValue== “terminated” )]”,
“id”: “idn:identity-attributes-changed”
}
}
}

2

This step in your workflow gets all the access profiles the terminated user has, not the access profiles they are owner of. To get these you need to make an API call detailed here

look under filters section for owner.id eq “………………..“

3

Any idea, how can I leverage that?

4

Thanks, Nithesh! Finally got it working. However, I have hardcoded the request output in the send email. Any idea, how we can store the array list in a variable and use that in a send email action?

image
image1855×833 125 KB

5

Good to know you got it working. Check this post on how to show specific field value from an array as a list in the email body:

1 Like
6

can we get full workflow logic we are also having similar requirement

7

Thank you, it worked. Also, I’m looking to incoprate the logic to automatically reassign the ownership to the owner’s manager when they leave, any idea?

8

image
image1652×541 25.3 KB

you can use isc governance connector

1 Like
9

okay, can we limit the system to only assign the access profiles upto AVP level and if their manager is a C-Suite then it shouldn’t assign it to them?

10

Also, have updated the workflow to transfer ownership, and it works perfectly when I use a hardcoded manager ID. However, when I try to use a variable instead, it fails. Any idea how I can correctly reference or fetch the manager ID as a variable?

image
image1330×680 64.1 KB

11

Sorry, please find it below,

{

"name": "Access Profile Owner Termination",
"definition": {
    "start": "Get Terminated Identity",
    "steps": {
        "Compare Strings": {
            "actionId": "sp:compare-strings",
            "choiceList": [
                {
                    "comparator": "StringContains",
                    "nextStep": "Send Notification Email",
                    "variableA.$": "$.hTTPRequest.body[0].owner.id",
                    "variableB.$": "$.trigger.identity.id"
                }
            ],
            "defaultStep": "End Step - Success",
            "description": null,
            "displayName": "",
            "type": "choice"
        },
        "End Step - Success": {
            "actionId": "sp:operator-success",
            "displayName": "End Step - Success",
            "type": "success"
        },
        "Get Terminated Identity": {
            "actionId": "sp:get-identity",
            "attributes": {
                "id.$": "$.trigger.identity.id"
            },
            "displayName": "Get Terminated Identity",
            "nextStep": "Get Terminated Identity 1",
            "type": "action",
            "versionNumber": 2
        },
        "Get Terminated Identity 1": {
            "actionId": "sp:get-identity",
            "attributes": {
                "id.$": "$.getTerminatedIdentity.managerRef.id"
            },
            "displayName": "Get Terminated Identity's Manager",
            "nextStep": "HTTP Request",
            "type": "action",
            "versionNumber": 2
        },
        "HTTP Request": {
            "actionId": "sp:http",
            "attributes": {
                "authenticationType": "OAuth",
                "jsonRequestBody": {},
                "method": "get",
                "oAuthClientId": "",
                "oAuthClientSecret": "",
                "oAuthCredentialLocation": "oAuthInHeader",
                "oAuthTokenUrl": "",
                "requestContentType": null,
                "requestHeaders": null,
                "url": "https://tenant.api.identitynow.com/v3/access-profiles?filters=owner.id%20eq%20%22{{$.trigger.identity.id}}%22",
                "urlParams": null
            },
            "displayName": "",
            "nextStep": "Compare Strings",
            "type": "action",
            "versionNumber": 2
        },
        "Send Notification Email": {
            "actionId": "sp:send-email",
            "attributes": {
                "body": "<p>&lt;p&gt;The following access profiles were owned by {{$.trigger.identity.name}}, who has been terminated, and will be reassigned to ${manager}:&lt;/p&gt;</p>\n<p>&lt;ul&gt;#foreach($profile in ${accessProfiles})&lt;li&gt;$profile.name&lt;/li&gt;#end&lt;/ul&gt;</p>",
                "context": {
                    "accessProfiles.$": "$.hTTPRequest.body",
                    "manager.$": "$.getTerminatedIdentity1.attributes.displayName"
                },
                "from": "no-reply@sailpoint.com",
                "recipientEmailList": [],
                "replyTo": "",
                "subject": "Access Profile Owner Terminated: Action Required"
            },
            "displayName": "Send Notification Email",
            "nextStep": "End Step - Success",
            "type": "action",
            "versionNumber": 2
        }
    }
},
"enabled": false,
"executionCount": 0,
"failureCount": 0,
"trigger": {
    "type": "EVENT",
    "attributes": {
        "filter.$": "$.changes[?(@.attribute == \"cloudLifecycleState\" && @.newValue== \"terminated\")]",
        "id": "idn:identity-attributes-changed"
    }
}

}

12

I configured the ISC source and set the user’s lifecycle state to terminated, but none of the selected artifacts were reassigned. did I miss something?

image
image2010×1308 227 KB