Access Request Decision workflow not triggering when role is removed

:bangbang: Please be sure you’ve read the docs and API specs before asking for help. Also, please be sure you’ve searched the forum for your answer before you create a new topic.

We have a requirement to assign identity attribute (say XYZ) value when role is assigned with expiry date after approval through Request Center. Same way when the same identity attribute (say XYZ) value should removed when role is removed automatically after expiry date. We assigned the identity attribute value using workflow with ‘Access Request Decision’ trigger, and it is working.
But when role is removed automatically by IDN after role expiry date the workflow is not triggering and ‘Access Request Decision’ is not invoked. The identity attribute (say XYZ) value remains for identity.
Can you clarify if ‘Access Request Decision’ workflow will trigger when role is removed after expiry date? If not, how can we remove identity attribute value?

  • Kalyan S Mutya

I don’t know if this trigger is called on expiration of role. But you can implement following workflow :

  • Trigger : Scheduled Trigger
  • Actions : “http request” that use search api to get all identity that have attribute value “XYZ” and no have role xxxx
  • For each identity you can remove the identity attribute “XYZ” as you do actually.

As this trigger only triggers for actual “Access Requests”, it will not trigger when access is automatically assigned/removed.

For removal i would instead try to use the trigger: “Provisioning Completed”

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.