Deprovisioning role in IDNow through workflow

We have a business requirement to provision a role based on new value and deprovision an assigned role based on old value after attribute change event is triggered.
How can we achieve the provisioning and deprovisioning of role based on old and new value of the same attribute?

Hi @Mahak14

if the role is provisioned based on role criteria you can put some logic in the role to provision this role if the value of one identity/account attribute is equals to any value and automatically IdentityNow is going to provisioning the role and entitlements on the role and when the value change automatically IdentityNow is going to deprovisioning that role and assign the new role that match criteria on the second role

Role1 - Criteria: IdentityAttribute.Department equals ‘IT’
Entitlements: group1, group2

Role2 - Criteria: IdentityAttribute.Department equals ‘Engineer’
Entitlements: group2, group3

Lets thing that the identity initially has department = ‘IT’ then IdentityNow is going to provisioning the role to the identity and group1 and group2 to the account but when the department change to ‘Engineer’ then IdentityNow is going to remove Role1 to the identity and is going to assign Role2 to the identity, deprovisioning group1 and provisioning of group3 on the account because group2 is a common group in both roles

Thanks for the response.
One question - What will be the json path for the roles in “Create Access Request” action in workflow for the above mentioned case for the two roles so that roles are picked up as above criteria

@Mahak14, The solution that @gustavo_mariscal provided is called role membership criteria, and it is a capability built directly into IdentityNow. Based on your initial post, it sounds like role membership criteria will solve your use case. I would only involve Workflows if you need some functionality that is not available out of the box.

@colin_mckibben Thank you for your comment. Could be current implementation of Workflow used to forcedly refresh (to immediately provision the access) a particular Role with criteria based members on identity attribute change event as LCM state?

@yunovd ,

No, the current iteration of workflows does not support what you are asking. However, we are working on a new and improved HTTP action that will enable your use case within workflows.

Identity refreshes are automatically triggered daily, so IDN will eventually provision the role within a day. If you must have real-time role provisioning as soon as an Identity meets the role criteria, then you can solve it in workflows with the following steps, with the caveat that you will need to wait for the improved HTTP action before you can implement this.

  1. configure the identity attributes changed trigger with a filter that looks for any events where the status of the identity has changed to the LCM state you are interested in.
  2. Configure the improved HTTP action to send a POST request to /cc/api/system/refreshIdentities with the following payload:
   "filter" : "name == \"${}\"",
   "refreshArgs" : {
     "correlateEntitlements" : "true",
     "promoteAttributes" : "true",
     "refreshManagerStatus" : "true",
     "synchronizeAttributes" : "true",
     "pruneIdentities" : "true",
     "provision" : "true"

These two steps will tell IDN to immediately refresh a single identity as soon as the identity attributes meet the role criteria.