Access Request Workflow

Identity Security Cloud (ISC) ISC Discussion and Questions
1

I am trying to trigger a workflow when the department changes using the Identity Attributes Changed trigger, but when I test a positive condition, I end up with the message of an invalid map:

[
  {
    "type": "WorkflowExecutionStarted",
    "timestamp": "2022-01-27T22:46:05.739760992Z",
    "attributes": {
      "input": {
        "changes": [
          {
            "attribute": "department",
            "newValue": "marketing",
            "oldValue": "sales"
          }
        ],
        "identity": {
          "id": "2c9180876ae6b8f3016b668e01a63530",
          "name": "Justin.Haines",
          "type": "IDENTITY"
        }
      }
    }
  },
  {
    "type": "WorkflowTaskScheduled",
    "timestamp": "2022-01-27T22:46:05.739808283Z",
    "attributes": {}
  },
  {
    "type": "WorkflowTaskStarted",
    "timestamp": "2022-01-27T22:46:05.82204121Z",
    "attributes": {}
  },
  {
    "type": "WorkflowTaskCompleted",
    "timestamp": "2022-01-27T22:46:05.868088546Z",
    "attributes": {}
  },
  {
    "type": "ActivityTaskScheduled",
    "timestamp": "2022-01-27T22:46:05.868148035Z",
    "attributes": {
      "activity": "sp:internal:http",
      "input": {
        "body": {
          "requestedFor": {
            "id": "2c9180876ae6b8f3016b668e01a63530"
          },
          "requestedItems": {
            "id": "2c9180867e9a1b12017e9dabaa520a02",
            "type": "ROLE"
          }
        },
        "identities": {
          "id": "2c9180876ae6b8f3016b668e01a63530"
        },
        "method": "POST",
        "path": "rats/access-requests",
        "requestedItems": {
          "id": "2c9180867e9a1b12017e9dabaa520a02",
          "type": "ROLE"
        },
        "service": "rats"
      },
      "task": "sp:create-approval-request"
    }
  },
  {
    "type": "ActivityTaskStarted",
    "timestamp": "2022-01-27T22:46:05.91341977Z",
    "attributes": {}
  },
  {
    "type": "ActivityTaskFailed",
    "timestamp": "2022-01-27T22:46:06.231819397Z",
    "attributes": {}
  },
  {
    "type": "WorkflowTaskScheduled",
    "timestamp": "2022-01-27T22:46:06.231839257Z",
    "attributes": {}
  },
  {
    "type": "WorkflowTaskStarted",
    "timestamp": "2022-01-27T22:46:06.290068288Z",
    "attributes": {}
  },
  {
    "type": "WorkflowTaskCompleted",
    "timestamp": "2022-01-27T22:46:06.32724621Z",
    "attributes": {}
  },
  {
    "type": "WorkflowExecutionFailed",
    "timestamp": "2022-01-27T22:46:06.327278406Z",
    "attributes": {
      "error": "output was not a valid map"
    }
  }
]

I am including my workflow to see if anyone can assist with this simple use case. Thanks!
DepartmentChange20220127.txt (1.5 KB)

2

Hi @justinrhaines. We have confirmed there is a UI bug on the Access Request action. The team is working on fixing it.

The issue is that the Access Request JSON expects the attributes property to be formatted as follows:

“Create Request for Access”: {
                “actionId”: “sp:create-approval-request”,
                “attributes”: {
                    “identities.$“: [“$.identity.id”],
                    “requestedItems”: [
                        {
                          “id”: “2c9180867e9a1b12017e9dabaa520a02",
                          “type”: “ROLE”
                        }
                    ]
                },
                ...

Pay close attention to the $ and array ([] ) brackets. The UI isn’t filling these in for you, so you will have to modify the JSON manually and then upload the workflow.

3

accessrequest workflow.txt (903 Bytes)
Tried the above mentioned changes, but gives the same error.
{
“type”: “WorkflowExecutionFailed”,
“timestamp”: “2022-02-09T17:15:58.030088127Z”,
“attributes”: {
“error”: “output was not a valid map”
}
}

Is it a bug or something I am missing?

4

Same issue here. Any update?

5

The fix provided by @colin_mckibben addressed the issue for me. Make sure you make the changes required to the “identities” line in the Workflow json file as the UI doesn’t support the values yet.

1 Like
6

Hi Colin,

Is this still true regarding the identities.$ line? I made the changes to JSON and I keep getting the validation error: bad json path: must start with $

Here is my create request json

“start”: “Create Request for Access”,
“steps”: {
“Create Request for Access”: {
“actionId”: “sp:create-approval-request”,
“attributes”: {
“identities.$”: [“$.trigger.identity.id”],
“requestedItems”: [
{
“id”: “cb5443408cba402999c4404xxxxxxxxx”,
“type”: “ACCESS_PROFILE”
}
]
},
“nextStep”: “success”,
“type”: “action”,
“versionNumber”: 1
},
“success”: {
“type”: “success”
}
}

7

The Manage Access action is the replacement for Create Request for Access. I suggest you use Manage Access for the purpose of creating access requests.

8

Thanks Colin. How do I filter to single access profile or a role in the Access To Manage. I tried $.getAccess.accessItems[?(@.id==‘cb5443408cba402999c4404bxxxxxxxx’)].id but doesn’t seem to work.

9

The Get Access action is the companion action for Manage Access. You can provide a search query in Get Access to narrow the list of access items you want to manage. In your case, you could configure Get Access with the following search query, limited by role, to get a single role.

image
image487×881 30.2 KB

10

@vishals_me try your JSONpath filter again. There was an issue on the backend that prevented that filter from working properly. It should be fixed now.