Event Trigger filter

Hello,

I’m trying to restrict the provisioning events triggered for my subscription to a specific source (Azure AD source for Suppliers) and I came up with the following filter. I checked it’s validity using validate filter API and it returned 200.

Filter:
$[?($.detail.sources contains ‘Azure AD source for Suppliers’)]

Sample event:

{
    "input": {
        "version": "0",
        "id": "5af763a4-b54b-1f8d-68f9-89d08c21ba46",
        "detail-type": "idn:post-provisioning",
        "source": "aws.partner/sailpoint.com/978ccd6f-75b4-4467-87f8-823b42f63e9b/idn/post-provisioning",
        "account": "066144426732",
        "time": "2021-04-11T06:15:37Z",
        "region": "us-east-2",
        "resources": [ ],
        "detail": {
            "trackingNumber": "c6640fc94e6d488b8be2aa3ab709c96f",
            "sources": "Azure AD source for Suppliers, IdentityNow",
            "recipient": {
                "id": "2c91808778ad758a0178bf91709d11c1",
                "name": "Donald Duck",
                "type": "IDENTITY"
            },
            "requester": null,
            "accountRequests": [
                {
                    "source": {
                        "type": "SOURCE",
                        "id": "2c9180857740c352017740e8fd870234",
                        "name": "Azure AD source for Suppliers"
                    },
                    "accountId": "57982d1e-c75a-4c63-851f-43a83ea6f5ed",
                    "accountOperation": "Create",
                    "provisioningResult": "committed",
                    "provisioningTarget": "Azure AD source for Suppliers",
                    "ticketId": null,
                    "attributeRequests": [
                        {
                            "attributeName": "groups",
                            "attributeValue": "[86536594-9041-4c58-8ac7-49c4f89d52dd, 869b646c-8af6-4c3b-9aee-d6377becac0b]",
                            "operation": "Add"
                        },
                        {
                            "attributeName": "invitedUserUsageLocation",
                            "attributeValue": "US",
                            "operation": "Add"
                        }
                    ]
                },
                {
                    "source": {
                        "type": "SOURCE",
                        "id": "IdentityNow",
                        "name": "IdentityNow"
                    },
                    "accountId": "SUP0053",
                    "accountOperation": "Modify",
                    "provisioningResult": "IdentityNow Task",
                    "provisioningTarget": "IdentityNow",
                    "ticketId": null,
                    "attributeRequests": [
                        {
                            "attributeName": "assignedRoles",
                            "attributeValue": "Supplier Azure AD Account - BaseCamp [cloudRole-1615497776503]",
                            "operation": "Add"
                        },
                        {
                            "attributeName": "assignedRoles",
                            "attributeValue": "Azure AD - Guest user provisioning [cloudRole-1612905383593]",
                            "operation": "Add"
                        },
                        {
                            "attributeName": "assignedRoles",
                            "attributeValue": "Supplier Profile - active [cloudLifecycle-1611255329965]",
                            "operation": "Add"
                        }
                    ]
                }
            ],
            "_metadata": {
                "triggerType": "fireAndForget",
                "triggerId": "idn:post-provisioning",
                "invocationId": "3eaaef9b-86d5-4aa2-a623-74fe99263b49"
            }
        }
    }
}

However when I use this filter on my subscription, I don’t see any events in the subscription event log or my listener. Any pointers would be helpful.

Thanks,
Prabhu

1 Like

I think you’re missing the $ which indicates the root of the json. Try $[?($.detail.sources contains "Azure AD source for Suppliers")]

Hi Colin,

Thanks for the response. I missed the $ in my previous post. This is the actual filter I’m using,

$[?($.detail.sources contains 'Azure AD source for Suppliers')]

The formatting of the example you posted is hard to read, but it looks like detail is inside input. Maybe try $[?($.input.detail.sources contains "Azure AD source for Suppliers")]

Validity is failing for this filter $[?($.input.detail.sources contains "Azure AD source for Suppliers")]

Can you tell me the trigger-id associated with this event? Is it idn:post-provisioning? Also, can you try using https://webhook.site to test your filter? You can create a new subscription in the Admin UI, using the URL that https://webhook.site gives you, and then send test events from your subscription to see if the filter works.

Hi Colin,

Yes, trigger-id is “idn:post-provisioning”. I tried with webhook as my listener. Events are received when I test the subscription without a filter. When I used the filter events are not received.

@pselvarangan, when I subscribe to idn:post-provisioning, I get a different response object than what you have shared. Below is what I receive, which is what is contained in the detail object of the response you shared. I was able to get the following query to work for my response object, so maybe you can try this on yours to see if it works:

Filter expression: $[?($.sources contains ‘Azure AD source for Suppliers’)]

My response object

{
  "_metadata": {
    "invocationId": "ed3fafea-5610-4a8f-b389-a730a4c83453",
    "triggerId": "idn:post-provisioning",
    "triggerType": "fireAndForget"
  },
  "accountRequests": [
    {
      "accountId": "CN=Chewy.Bacca,ou=hardcorefigter,ou=wookies,dc=starwars,dc=com",
      "accountOperation": "Modify",
      "attributeRequests": [
        {
          "attributeName": "memberOf",
          "attributeValue": "CN=jedi,DC=starwars,DC=com",
          "operation": "Add"
        }
      ],
      "provisioningResult": "SUCCESS",
      "provisioningTarget": "Corp AD",
      "source": {
        "id": "4e4d982dddff4267ab12f0f1e72b5a6d",
        "name": "Corporate Active Directory",
        "type": "SOURCE"
      },
      "ticketId": "72619262"
    }
  ],
  "action": "IdentityRefresh",
  "errors": [
    "General Error",
    "Connector AD Failed"
  ],
  "recipient": {
    "id": "2c91808b6ef1d43e016efba0ce470909",
    "name": "Ed Engineer",
    "type": "IDENTITY"
  },
  "requester": {
    "id": "2c91808b6ef1d43e016efba0ce470906",
    "name": "Adam Admin",
    "type": "IDENTITY"
  },
  "sources": "Corp AD, Corp LDAP, Corp Salesforce",
  "trackingNumber": "4b4d982dddff4267ab12f0f1e72b5a6d",
  "warnings": [
    "Notification Skipped due to invalid email"
  ]
}

Sorry to revive an old thread, but I just noticed that you’re using the “contains” operator in your filter? IS that a valid filter that can be used? Are there any other operators that we can use for filtering?
I see no mention of any on the documentation page:
https://developer.sailpoint.com/triggers/filtering_event_triggers.html

@danieldevcic I just tried it and it works on my trigger. It appears that our JSON path implementation supports more operations than we have documented. I’m creating a task to update our filter docs, and I’m going to review JSONPath Syntax | AlertSite Documentation to see which operations we support.

Awesome @colin_mckibben , it would be really helpful for our use-case to utilize some of the other operations, looking forward to seeing that doc updated.

@colin_mckibben any updates on updating the filtering documentation with other supported operations?

@colin_mckibben any updates on the documentation for filters?

A complete revamp of the event trigger documentation is one of my priorities for this quarter. Expect to see this documentation updated by the end of the quarter.