API triggered Role certification based on Metadata attribute

Identity Security Cloud (ISC) ISC Discussion and Questions
, ,
1

Part of the mover requirement is to trigger role certification for the moving identity but only Include roles that have specific values of the custom metadata attribute.

So this certification needs to be triggered from the workflow.

My plan is to use Create a campaign endpoint and create a campaign of type SERCH. In searchCampaignInfo I will have type IDENTITY and assign specific identity as reviewer (this is the old manager). And finally, I need to set filter to only include specific roles which mean I need “Campaign Filter”.

I managed to create a search query that filter such roles:

@accessModelMetadata(value:"3") AND @accessModelMetadata(name:"Risk level")

But how do I use this inside “Campaign Filter”?

2

Hi @aleksander_jachowicz

This definitely looks do-able. Instead of using the type IDENTITY in your searchCampaignInfo, I would use the ACCESS type instead and utilize the query parameter in the call to pass your search query that you provided. Also, you will need to pass the identity ID into the identityIds section to make sure only that identity is being certified.

I wouldn’t use a campaign filter in this case since it seems you can filter the access criteria and the identities you want included using other parameters. If you wanted to exclude extra criteria that you couldn’t with your search query you provided, then I think a campaign filter would be necessary.

Let me know if this works for you or if you have any questions or concerns on the approach.

3

Hi @trettkowski
But if I use ACCESS my understanding is that query only limits the identities being certified not which roles are being certified.

Isn’t filter the only part that limits what is being certified?

4

No, this limits what access is being certified. For this to work properly, you would need to use the ACCESS query as well as populating the identityIds under searchCampaignInfo. The search query will only certify the access you specified and the IdentityIds will include only the identity ID’s you specified.

Here is an example campaign payload that I’ve confirmed only includes access relevant to a source and I’m excluding based on a list of identity ID’s:

$CampaignPayload = @{
    name = "$sourceName Access Review - Status: Active - $(Get-Date -Format 'yyyy-MM-dd')"
    description = "Filtered campaign for $sourceName source via PowerShell script."
    type = "SEARCH"
    searchCampaignInfo = @{
        type = "ACCESS"
        query = "source.name:" + '"' + $sourceName + '"'
        identityIds = $TargetIdentityIds
        reviewerType = "MANAGER"
    }
    schedule = @{
        type = "ONCE"
    }
} | ConvertTo-Json -Depth 10
5

OK, I’ll test this. Thanks for the input so far.

6

You are right @trettkowski this does work as you explained

7

For future reference if someone reads this my body is:

{
    "name": "Mover old manager review",
    "description": "A review of critical access by old manager.",
    "deadline": "2026-12-25T06:00:00.468Z",
    "type": "SEARCH",
    "emailNotificationEnabled": false,
    "autoRevokeAllowed": false,
    "recommendationsEnabled": false,
    "searchCampaignInfo": {
        "reviewer": {
            "type": "IDENTITY",
            "id":"********"
        },
        "type": "ACCESS",
        "identityIds": [
            "***********"
        ],
        "query": "@accessModelMetadata(value:\"3\") OR name:\"Accounting (Norway)\""
    },
    "mandatoryCommentRequirement": "NO_DECISIONS"
}
1 Like