Hello Shavri,
For your “remove access” step, doesn’t this need to be handled in a loop? My understanding is that remove access requests can only be submitted one at a time, so if a user has more than one access item, it will fail if not done in a loop.
Hi Dylan,
I believe the manage access action is capable of revoking multiple access in the same step, it will create the revoke access requests automatically.
When I test that in my environment, I get this error:
I believe it’s using the v3 Create Access Request API, which is limited for revoke operations
Hi @dopstrick ,
Yes you are right. I have seen this behavior as well. So we went ahead by using loops(up to 100 access).
Thanks,
Kavindar Sharma
@sharvari I am also endup with same error Dylan is facing "revoke entitlements are limit to 1 per access request.
@sagar_kamalakar you will have to add a loop action to this workflow and call the manage access step from loop to revoke your individual entitlements.
Hi @sharvari !
thanks for this post as it is very timely to something I am currently working on for Emergency Terminations. I would like to use the option 2 in your post by manually updating the lifecycle state on an identity. The challenge I am facing is that I think only Admins can modify the Identity Lifecycle State yet in my company, tier 3 IT support performs the emergency terminations. Do you know of a way to allow Helpdesk User Levels to update Identity Lifecycle State manually?
Thanks
Kirk
Thank you, @kirkkenton.
Unfortunately Sailpoint doesn’t support updating lifecycle states using helpdesk user level, they will need Admin access to be able to switch states manually.
Hello @sharvari , We are looking to implement the Emergency terminations using the workflow. We are trying to invoke the API from Workday business process. Do you happen to have any insight on how this can be setup on Workday side.
I am not very familiar with how this needs to be setup on workday side but here’s the information you need to share with them so they can make the call to workflow.
URL to workflow -
https://tenant-name.api.identitynow.com/v3/workflows/execute/external/#workflow-id
Body - Include the input to workflow preferably as Json
Client ID and Secret - These will be used to generate an OAuth token
Token URL - https://tenant-name.api.identitynow.com/oauth/token
How can we add steps to workflow like
once we get a heads up from HR system to SailPoint
employeeStatusCode as T or terminated then
disable AD and OKTA then
Kill AD an OKTa sessions then
move the user account to disable OU
sync to downstream systems
reset password then
hide From GAL
remove Distribution list
remove user from all cloud groups
convert to mailbox to shared mail
give manger delgate access
delete calendar events
we want to move away from Powershell script to Workflows fully ? how can we do achieve this ? if someone have already build it ? share a similar workflow
i do see similar behavior what was the solution for this issue ?
You need to use the Loop operator for removing standalone entitlements.
It may be best to create a separate post in the forum for this question, so it has more visibility.
A lot of these tasks that you mentioned can be achieved directly via OOB functionalities and do not require a workflow. You can use the Lifecycle states to trigger disables etc and do an AfterModify rule for some of the other AD tasks.
Thanks for the blog @sharvari
I have a question, when I run the workflow test, I got this error:
Do you understand what is happening?
Thanks in advance
Thank you @IvanMiron.
I see requestedItems as null, did you provide the access info for items to revoke in the manage access step ?
It should be in this format:
[
{
"id": "technicalID",
"name": "accessItemName",
"type": "accessItemType"
},
{
"id": "technicalID",
"name": "accessItemName",
"type": "accessItemType"
}
]
Thanks, I need to provide access in some identities.