Entitlement removal workflow issue

Harish_accenture · November 13, 2023, 2:37pm

Hi,

Below workflow is developed to remove all the entitlement of the user when the user LCS state changes to “lapsed”. It is removing the entitlements when I have entered the identity value inside the “Manage access loop”. It is not working when I give variable as “$.loop.context.trigger.identity.id” . Can anyone guide me here?

{
	"name": "Lapsed Entitlement Removal",
	"description": "This workflow will remove all entitlements of lapsed users.",
	"modified": "2023-11-13T13:59:55.902539822Z",
	"modifiedBy": {
		"type": "IDENTITY",
		"id": "9ccdea463acd483c9e100ebda16f3f18",
		"name": "harish.govindaraj"
	},
	"definition": {
		"start": "Get Identity",
		"steps": {
			"Compare Strings": {
				"choiceList": [
					{
						"comparator": "StringEquals",
						"nextStep": "Get Access",
						"variableA.$": "$.getIdentity.attributes.cloudLifecycleState",
						"variableB": "lapsed"
					}
				],
				"defaultStep": "End Step — Failure",
				"type": "choice"
			},
			"End Step — Failure": {
				"failureName": "Failure",
				"type": "failure"
			},
			"End Step — Success 1": {
				"description": "Success",
				"type": "success"
			},
			"Get Access": {
				"actionId": "sp:access:get",
				"attributes": {
					"accessprofiles": false,
					"entitlements": true,
					"getAccessBy": "specificIdentity",
					"identityToReturn.$": "$.getIdentity.id",
					"roles": false
				},
				"nextStep": "Loop",
				"type": "action",
				"versionNumber": 1
			},
			"Get Identity": {
				"actionId": "sp:get-identity",
				"attributes": {
					"id": "b57dc232aee041f39610f732797138e3"
				},
				"nextStep": "Compare Strings",
				"type": "action",
				"versionNumber": 2
			},
			"Loop": {
				"actionId": "sp:loop:iterator",
				"attributes": {
					"context.$": "$",
					"input.$": "$.getAccess.accessItems",
					"start": "Manage Access",
					"steps": {
						"End Step — Success": {
							"description": "Success inside loop",
							"type": "success"
						},
						"Manage Access": {
							"actionId": "sp:access:manage",
							"attributes": {
								"comments": "Removal in lapsed",
								"removeIdentity.$": "$.loop.context.trigger.identity.id",
								"requestType": "REVOKE_ACCESS",
								"requestedItems.$": "$.loop.loopInput"
							},
							"nextStep": "End Step — Success",
							"type": "action",
							"versionNumber": 1
						}
					}
				},
				"nextStep": "End Step — Success 1",
				"type": "action",
				"versionNumber": 1
			}
		}
	},
	"creator": {
		"type": "IDENTITY",
		"id": "9ccdea463acd483c9e100ebda16f3f18",
		"name": "harish.govindaraj"
	},
	"trigger": {
		"type": "EVENT",
		"attributes": {
			"attributeToFilter": "cloudLifecycleState",
			"filter.$": "$.changes[?(@.attribute == \"cloudLifecycleState\")]",
			"id": "idn:identity-attributes-changed"
		}
	}
}

Thanks,
Harish G

AlexFKing · November 13, 2023, 6:08pm

Hi @Harish_accenture – I compared what you have to my working entitlement removal workflow. This is what I have for my loop step, you may need to just change what you have with the context variable and the removeIdentity:

            "Loop": {
                "actionId": "sp:loop:iterator",
                "attributes": {
                    "context.$": "$.trigger.identity",
                    "input.$": "$.getAccess.accessItems",
                    "start": "Manage Access",
                    "steps": {
                        "End Step — Success 1": {
                            "type": "success"
                        },
                        "Manage Access": {
                            "actionId": "sp:access:manage",
                            "attributes": {
                                "comments": "Removed due to emergency termination.",
                                "removeIdentity.$": "$.loop.context.id",
                                "requestType": "REVOKE_ACCESS",
                                "requestedItems.$": "$.loop.loopInput"
                            },
                            "description": "Removes all entitlements assigned to the terminated user.",
                            "nextStep": "End Step — Success 1",
                            "type": "action",
                            "versionNumber": 1
                        }
                    }
                },
                "nextStep": "End Step — Success",
                "type": "action",
                "versionNumber": 1
            }

Thanks,

Alex King

Harish_accenture · November 14, 2023, 5:48am

Thanks for your help!

system · January 13, 2024, 5:49am

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Remove all entitlements with workflow ISC Discussion and Questions workflows , identity-security-cloud	6	1567	December 25, 2023
Workflow Remove Entitlements ISC Discussion and Questions workflows , identity-security-cloud , lifecycle-management , entitlements	8	107	September 23, 2024
Unable to reference identity ID in loop context ISC Discussion and Questions workflows , identity-security-cloud	3	476	December 25, 2023
Active directory entitlement removal ISC Discussion and Questions identity-security-cloud , lifecycle-management	4	707	December 24, 2023
Workflow - Remove Entitlements from selected source ISC Discussion and Questions workflows , identity-security-cloud , entitlements	19	1940	October 24, 2023

Entitlement removal workflow issue

Related topics