Create an access request from a custom workflow

IdentityIQ (IIQ) IIQ Discussion and Questions
, , ,
1

Which IIQ version are you inquiring about?

Version 8.3

Share all details related to your problem, including any error messages you may have received.

Hi all,

Hope everything’s well.
I apologize to open this post here, I couldn’t find a way to get this working.
We have a custom workflow that’s going to be called from postman. This custom workflow will be performing few operations, and one of them should be creating an access request for a user.
We’d like to recreate the same proyect/plan where a user goes and manually requests an access for a user in Manage User Access, selecting the desired bundle, creating the account in this source.
I’ve read that I should be calling the LCM Provisioning workflow from my custom workflow for this case, and while I’m trying to fix the errors that I’m receiving, wanted to ask if this is the correct path to achieve this.

Have you created an access request from a rule or custom workflow? If so, what steps did you follow?

Thank you in advance!

2

You are in correct path, but in my case i created custom WF that will also do same. At my end the requirement is bit complex

See some thread here

Triggering access requests via joiner workflow - IdentityIQ (IIQ) / IIQ Discussion and Questions - SailPoint Developer Community

Create Custom Identity Request by Custom Workflow to see in Track My Request - IdentityIQ (IIQ) / IIQ Show and Tell - SailPoint Developer Community

1 Like
3

Check below sample code

QueryOptions qo = new QueryOptions();
Filter filter = Filter.eq("attributeName", "value");
qo.add(filter);

Iterator<Identity> it = context.search(Identity.class, qo);
if (it != null) {
	while (it.hasNext()) {
		Identity id = it.next();
		HashMap launchArgsMap = new HashMap();
		ProvisioningPlan plan = new ProvisioningPlan();

		// add your logic to create plan

		if (plan != null && !plan.isEmpty()) {

			launchArgsMap.put("identityName", id.getName());
			launchArgsMap.put("plan", plan);
			launchArgsMap.put("approvalScheme", "none");
			WorkflowLaunch wflaunch = new WorkflowLaunch();
			Workflow wf = null;

			try {
				wf = (Workflow) context.getObjectByName(Workflow.class, "LCM Provisioning");
			} catch (GeneralException e) {
				log.error(e);
			}

			if (wf != null) {

				wflaunch.setWorkflowName(wf.getName());
				wflaunch.setWorkflowRef(wf.getName());
				wflaunch.setVariables(launchArgsMap);

				Workflower workflower = new Workflower(context);
				try {
					WorkflowLaunch launch = workflower.launch(wflaunch);
					log.debug("workflow launched sucessfully " + launch);
				} catch (GeneralException eGeneralException) {
					log.error(eGeneralException);
				}

			}
		}

	}	

}
2 Likes
4

Thanks for your reply! I’ll take a look at this.
The issue we’re having is that we can’t really hardcode a provisioningPlan since it will change depending on the source. If it were for only one source, it would be great, but since it can be requesting an account in Active Directory, GitHub, etc., I don’t think hardcoding the plan would be effective
If there’s a way to execute the provisioning form to grab all the data that the source needs from the intended identity, it would be fantastic

5

@ninfante_solidigm You can try with role assignment and either use role based provisioning plan or application one. I mean when you will try to assign role then it will call app’s create provisioning policy and you can put your logic in app provisioning form.

6

You can write your logic and create plan accordingly . I think if you give a clear use case what exactly you are trying to do , then it will be easy to understand .

7

The use case would be the following:

  1. I execute the API call in Postman to execute my custom workflow.
  2. I’m sending what operation I want to perform in SailPoint, which in this case will be an account creation.
    2.1 From Postman, I’m sending the bundle’s name, the source’s name and the identity that will be used to perform the account creation.
  3. This custom workflow performs the creation of the account in the desired source, either calling another workflow such as LCM Provisioning, or handling the request by itself.

My understanding is that the plan, specifically the attributeRequests would change depending on the provisioning form of the source. Some needs specific attributes, others need other attributes. Please correct me if I’m wrong but that’s my understanding.
Active directory, to say a source, needs ‘n’ attributes from the identity, but if I want to create an account in SAP, surely it’ll need less attributes from the identity.
Hope this help! Also really thanks again for your help here

8

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.