Create certification for user with multiple access profiles

Identity Security Cloud (ISC) ISC Discussion and Questions
,
1

We have a requirement that on a certain application which is part of Entra ID source at one time, a user has to have a single access profile. Our approach is to create a certification campaign for users who have multiple access profile. I know that from search it might not possible as we cannot get a count of access profiles of certain application or that match a regex. So I am trying to use workflows to achieve. But I am stuck at “getAccess” step. I have the following queries:

  1. Is there a way to use the search query option in getAccess to query for a user having a certain access profiles (e.g. id:$.trigger.recipient.id AND @access(name:Accounts*))
  2. Is there a way to get the count of access profiles matching a regex from the getAccess and use it under compare numbers operators

Thanks in advance

1 Like
2

  1. In place of get access use the HTTP operation and use Search query API’s in the HTTP operation, Below is the HTTP to get all account data and from that we need to filter the access profiles in the next operation and also we can update the search query if that work’s from postman.
    HTTP Request": {
    “actionId”: “sp:http”,
    “attributes”: {
    “authenticationType”: “OAuth”,
    “jsonRequestBody”: {
    “indices”: [
    “identities”
    ],
    “query”: {
    “query”: “id:{{$.trigger.identity.id}}”
    }
    },
    “method”: “post”,
    “oAuthClientId”: “ID”,
    “oAuthClientSecret”: “SECRET”,
    “oAuthCredentialLocation”: “oAuthInHeader”,
    “oAuthTokenUrl”: “https://tenant.api.identitynow.com/oauth/token”,
    “requestContentType”: “json”,
    “url”: “https://tenant.api.identitynow.com/v3/search
    },
    “description”: “This HTTP operation is used to get the AD groups for the identities .”,
    “displayName”: “”,
    “nextStep”: “Loop”,
    “type”: “action”,
    “versionNumber”: 2
    }

  2. There is no direct way to do this, In Define Variable Operator define a string with $.getAccess[1] and in next step compare string if $getAccess[1] exist then there are more than 1 access profiles.

2 Likes
3

That is a detailed step wise breakdown @Yathish

4

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.