Certification Campaign Not Picking Users via Workflow

Identity Security Cloud (ISC) ISC Discussion and Questions
, ,
1

Hi Folks,

Need help if you have seen issue with this →

Users Skipping while creating campaign via Workflow. The trigger is “Identity Attribute attributes” based on “cloudlifecyclestate” → But randomly users are getting skipped.

Example: User “A” was terminated on Day 10, my workflow should pick this user on this event triggered when attribute got changed from “active” to “terminated” → Create Campaign → Submit after 24Hours. But somehow users were not picked up for termination.

No error seen in certification or in worflow.

Thanks

2

Seeing this error for some users, not all for skipped users.

{“error”:“task failed: activity error (type: sp:internal:http, scheduledEventID: 11, startedEventID: 12, identity: 1@sp-workflow-xxxxxx-us-east-1-xxxxxx-c5z8l@sp-workflow-engine): unable to exec HTTP request: Get "https://xxxxxx.mice.services.infra.identitynow.com/v3/identities/2cxxxxxxa740e00170a931b6d127f6\”: request failed with status 401: (type: HTTP Response Returned a Client Error, retryable: false): unable to exec HTTP request: Get "https://xxxxxx.mice.services.infra.identitynow.com/v3/identities/2cxxxxxx740e00170a931b6d127f6\": request failed with status 401 (type: withStack, retryable: true): unable to exec HTTP request: Get }

3

Hi @msingh39 ,

401 says unauthorized. Check the client ID and secret.

It would be more helpful to troubleshoot if you can post the workflow JSON here by masking all the sensitive information

4

Thanks. I have attached the same.

{
“name”: “Terminated User Clean-up and Closure”,
“description”: “Workflow to automate clean-up of terminated users.”,
“modified”: “2024-12-11T03:05:05.805493547Z”,
“modifiedBy”: {
“type”: “IDENTITY”,
“id”: “XXXXXXXXXXXXXXXXX”,
“name”: “XXXXXXXXXXXXXXXXX”
},
“definition”: {
“start”: “Compare Strings”,
“steps”: {
“Compare Strings”: {
“choiceList”: [
{
“comparator”: “StringEquals”,
“nextStep”: “Get Identity”,
“variableA.$”: “$.trigger.changes[?(@.attribute == "cloudLifecycleState")].newValue”,
“variableB”: “terminated”
}
],
“defaultStep”: “End Step - Success 1”,
“displayName”: “”,
“type”: “choice”
},
“Create Certification Campaign”: {
“actionId”: “sp:create-campaign”,
“attributes”: {
“activateUponCreation”: true,
“description”: “Termination Clean-Up”,
“duration”: “1d”,
“emailNotificationEnabled”: false,
“governanceAccessItemType”: “ENTITLEMENT”,
“governanceAccessOperator”: “SELECTED”,
“governanceCertificationType”: “IDENTITY”,
“governanceGroupId”: “b22XXXXXXXXXXXXXXXXXd”,
“governanceIdentitiesToCertify.$”: “$.getIdentity.id”,
“name”: “Termination Clean-Up - {{$.getIdentity.attributes.displayName}}”,
“type”: “GOVERNANCE_GROUP”,
“undecidedAccess”: true
},
“description”: null,
“displayName”: “”,
“nextStep”: “Define Variable”,
“type”: “action”,
“versionNumber”: 2
},
“Define Variable”: {
“attributes”: {
“id”: “sp:define-variable”,
“variables”: [
{
“description”: “”,
“name”: “URL”,
“transforms”: [
{
“id”: “sp:transform:concatenate:string”,
“input”: {
“variableB.$”: “$.createCertificationCampaign.id”
}
},
{
“id”: “sp:transform:concatenate:string”,
“input”: {
“variableB”: “/complete”
}
}
],
“variableA”: “https://XXXXXXXXXXXXXXXXX.api.identitynow.com/v2024/campaigns/
}
]
},
“displayName”: “”,
“nextStep”: “Wait”,
“type”: “Mutation”
},
“End Step - Success”: {
“displayName”: “”,
“type”: “success”
},
“End Step - Success 1”: {
“displayName”: “”,
“type”: “success”
},
“Get Identity”: {
“actionId”: “sp:get-identity”,
“attributes”: {
“id.$”: “$.trigger.identity.id”
},
“displayName”: “”,
“nextStep”: “Create Certification Campaign”,
“type”: “action”,
“versionNumber”: 2
},
“HTTP Request”: {
“actionId”: “sp:http”,
“attributes”: {
“authenticationType”: “OAuth”,
“jsonRequestBody”: {
“autoCompleteAction”: “REVOKE”
},
“method”: “post”,
“oAuthClientId”: “XXXXXXXXXXXXXXXXX”,
“oAuthClientSecret”: “”,
“oAuthCredentialLocation”: “oAuthInHeader”,
“oAuthScope”: null,
“oAuthTokenUrl”: “https://XXXXXXXXXXXXXXXXX.api.identitynow.com/oauth/token”,
“requestContentType”: “json”,
“url.$”: “$.defineVariable.uRL”
},
“displayName”: “”,
“nextStep”: “End Step - Success”,
“type”: “action”,
“versionNumber”: 2
},
“Wait”: {
“actionId”: “sp:sleep”,
“attributes”: {
“duration”: “24h”,
“type”: “waitFor”
},
“displayName”: “”,
“nextStep”: “HTTP Request”,
“type”: “action”,
“versionNumber”: 1
}
}
},
“creator”: {
“type”: “IDENTITY”,
“id”: “XXXXXXXXXXXXXXXXX”,
“name”: “XXXXXXXXXXXXXXXXX”
},
“trigger”: {
“type”: “EVENT”,
“attributes”: {
“attributeToFilter”: “cloudLifecycleState”,
“filter.$”: “$.changes[?(@.attribute == "cloudLifecycleState")]”,
“id”: “idn:identity-attributes-changed”
}
}
}

5

Note: On terminated status, we are also moving the user to DISABLED OU.

6

In HTTP request, credentials should be passed in “body” when calling SailPoint API’s

image
image352×165 3.13 KB

In your workflow I can see its passed as “header”.

“oAuthCredentialLocation”: “oAuthInHeader”,
7

Thanks for the response, But this is not causing any issues, Out of 10, 1 users is having issue not get triggered. The workflow works fine except in some rare cases.

8

Hi @msingh39,

Have you confirmed that the WF is getting triggered even for the users who have their campaigns not created.?

If yes, take a look at the certification document and check if the missed users are having certifiable access.

image
image963×626 63.5 KB

9

Hi, did you ever get a solution for this issue? We are seeing the exact some error message in our termination removal workflow, down to the ~1/10 failure rate.

The error shown here:

  "{""displayName"":""Get Identity"",""error"":""unable to exec HTTP request: Get \""https: //<tenant>.mice.services.infra.identitynow.com/v3/identities/<identityid>\"": request failed with status 401: "",""stepName"":""getIdentity"",""task"":""sp:get-identity"",""technicalName"":""Get Identity""}"

The execution logs show that the error is being generated at the Get-Identity step, which is basically OOTB (chosen through Variable Selector).

		"Get Identity": {
			"actionId": "sp:get-identity",
			"attributes": {
				"id.$": "$.trigger.identity.id"
			},
			"description": "This will be used to get the identity who is getting disabled",
			"nextStep": "Get Access",
			"type": "action",
			"versionNumber": 2
		},

The endpoint erroring looks like a system internal endpoint