Event Trigger filter

Hello,

I’m trying to restrict the provisioning events triggered for my subscription to a specific source (Azure AD source for Suppliers) and I came up with the following filter. I checked it’s validity using validate filter API and it returned 200.

Filter:
$[?($.detail.sources contains ‘Azure AD source for Suppliers’)]

Sample event:

{
    "input": {
        "version": "0",
        "id": "5af763a4-b54b-1f8d-68f9-89d08c21ba46",
        "detail-type": "idn:post-provisioning",
        "source": "aws.partner/sailpoint.com/978ccd6f-75b4-4467-87f8-823b42f63e9b/idn/post-provisioning",
        "account": "066144426732",
        "time": "2021-04-11T06:15:37Z",
        "region": "us-east-2",
        "resources": [ ],
        "detail": {
            "trackingNumber": "c6640fc94e6d488b8be2aa3ab709c96f",
            "sources": "Azure AD source for Suppliers, IdentityNow",
            "recipient": {
                "id": "2c91808778ad758a0178bf91709d11c1",
                "name": "Donald Duck",
                "type": "IDENTITY"
            },
            "requester": null,
            "accountRequests": [
                {
                    "source": {
                        "type": "SOURCE",
                        "id": "2c9180857740c352017740e8fd870234",
                        "name": "Azure AD source for Suppliers"
                    },
                    "accountId": "57982d1e-c75a-4c63-851f-43a83ea6f5ed",
                    "accountOperation": "Create",
                    "provisioningResult": "committed",
                    "provisioningTarget": "Azure AD source for Suppliers",
                    "ticketId": null,
                    "attributeRequests": [
                        {
                            "attributeName": "groups",
                            "attributeValue": "[86536594-9041-4c58-8ac7-49c4f89d52dd, 869b646c-8af6-4c3b-9aee-d6377becac0b]",
                            "operation": "Add"
                        },
                        {
                            "attributeName": "invitedUserUsageLocation",
                            "attributeValue": "US",
                            "operation": "Add"
                        }
                    ]
                },
                {
                    "source": {
                        "type": "SOURCE",
                        "id": "IdentityNow",
                        "name": "IdentityNow"
                    },
                    "accountId": "SUP0053",
                    "accountOperation": "Modify",
                    "provisioningResult": "IdentityNow Task",
                    "provisioningTarget": "IdentityNow",
                    "ticketId": null,
                    "attributeRequests": [
                        {
                            "attributeName": "assignedRoles",
                            "attributeValue": "Supplier Azure AD Account - BaseCamp [cloudRole-1615497776503]",
                            "operation": "Add"
                        },
                        {
                            "attributeName": "assignedRoles",
                            "attributeValue": "Azure AD - Guest user provisioning [cloudRole-1612905383593]",
                            "operation": "Add"
                        },
                        {
                            "attributeName": "assignedRoles",
                            "attributeValue": "Supplier Profile - active [cloudLifecycle-1611255329965]",
                            "operation": "Add"
                        }
                    ]
                }
            ],
            "_metadata": {
                "triggerType": "fireAndForget",
                "triggerId": "idn:post-provisioning",
                "invocationId": "3eaaef9b-86d5-4aa2-a623-74fe99263b49"
            }
        }
    }
}

However when I use this filter on my subscription, I don’t see any events in the subscription event log or my listener. Any pointers would be helpful.

Thanks,
Prabhu

I think you’re missing the $ which indicates the root of the json. Try $[?($.detail.sources contains "Azure AD source for Suppliers")]

Hi Colin,

Thanks for the response. I missed the $ in my previous post. This is the actual filter I’m using,

$[?($.detail.sources contains 'Azure AD source for Suppliers')]

The formatting of the example you posted is hard to read, but it looks like detail is inside input. Maybe try $[?($.input.detail.sources contains "Azure AD source for Suppliers")]

Validity is failing for this filter $[?($.input.detail.sources contains "Azure AD source for Suppliers")]

Can you tell me the trigger-id associated with this event? Is it idn:post-provisioning? Also, can you try using https://webhook.site to test your filter? You can create a new subscription in the Admin UI, using the URL that https://webhook.site gives you, and then send test events from your subscription to see if the filter works.

Hi Colin,

Yes, trigger-id is “idn:post-provisioning”. I tried with webhook as my listener. Events are received when I test the subscription without a filter. When I used the filter events are not received.

@pselvarangan, when I subscribe to idn:post-provisioning, I get a different response object than what you have shared. Below is what I receive, which is what is contained in the detail object of the response you shared. I was able to get the following query to work for my response object, so maybe you can try this on yours to see if it works:

Filter expression: $[?($.sources contains ‘Azure AD source for Suppliers’)]

My response object

{
  "_metadata": {
    "invocationId": "ed3fafea-5610-4a8f-b389-a730a4c83453",
    "triggerId": "idn:post-provisioning",
    "triggerType": "fireAndForget"
  },
  "accountRequests": [
    {
      "accountId": "CN=Chewy.Bacca,ou=hardcorefigter,ou=wookies,dc=starwars,dc=com",
      "accountOperation": "Modify",
      "attributeRequests": [
        {
          "attributeName": "memberOf",
          "attributeValue": "CN=jedi,DC=starwars,DC=com",
          "operation": "Add"
        }
      ],
      "provisioningResult": "SUCCESS",
      "provisioningTarget": "Corp AD",
      "source": {
        "id": "4e4d982dddff4267ab12f0f1e72b5a6d",
        "name": "Corporate Active Directory",
        "type": "SOURCE"
      },
      "ticketId": "72619262"
    }
  ],
  "action": "IdentityRefresh",
  "errors": [
    "General Error",
    "Connector AD Failed"
  ],
  "recipient": {
    "id": "2c91808b6ef1d43e016efba0ce470909",
    "name": "Ed Engineer",
    "type": "IDENTITY"
  },
  "requester": {
    "id": "2c91808b6ef1d43e016efba0ce470906",
    "name": "Adam Admin",
    "type": "IDENTITY"
  },
  "sources": "Corp AD, Corp LDAP, Corp Salesforce",
  "trackingNumber": "4b4d982dddff4267ab12f0f1e72b5a6d",
  "warnings": [
    "Notification Skipped due to invalid email"
  ]
}

Sorry to revive an old thread, but I just noticed that you’re using the “contains” operator in your filter? IS that a valid filter that can be used? Are there any other operators that we can use for filtering?
I see no mention of any on the documentation page:
https://developer.sailpoint.com/triggers/filtering_event_triggers.html

@danieldevcic I just tried it and it works on my trigger. It appears that our JSON path implementation supports more operations than we have documented. I’m creating a task to update our filter docs, and I’m going to review JSONPath Syntax | AlertSite Documentation to see which operations we support.

Awesome @colin_mckibben , it would be really helpful for our use-case to utilize some of the other operations, looking forward to seeing that doc updated.

@colin_mckibben any updates on updating the filtering documentation with other supported operations?

@colin_mckibben any updates on the documentation for filters?

A complete revamp of the event trigger documentation is one of my priorities for this quarter. Expect to see this documentation updated by the end of the quarter.

Has this filter doc been published?

Yes. Check them out here.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.