Exclude birthright access from "Manage Access" action

Identity Security Cloud (ISC) ISC Discussion and Questions
1

Hey Team!

Is it possible to exclude certain access-profiles and/or roles in a workflow for revoking access for an identity? The jsonPath is $.getAccess.accessItems; is it possible to extend this to exclude certain birthright roles to prevent the workflow from trying to revoke that access as well (and causing an error).

We want to deprovision all requested access for an identity for a certain LCS while we still need to keep a birthright role on the identity in order for the off-boarding to work correctly for our 2 AD domains. Fetching all access causes the workflow to break as you can’t manually revoke criteria-based access.

Best regards,
Sebastian

1 Like
2

I solved it myself, but for anyone wondering about the same thing:

$.getAccess.accessItems[?(@.name!='accessName')] works!
3 Likes
3

This might be helpful to others as well:

I have tested this in the Manage Access Action workflow item (note: the i at the end makes the match case-insensitive):

  • Contains XYZ
    $.getAccess.accessItems[?(@.name =~ /.*XYZ.*/i)]
  • Starts with XYZ
    $.getAccess.accessItems[?(@.name =~ /^XYZ/i)]
  • Ends with XYZ:
    $.getAccess.accessItems[?(@.name =~ /XYZ$/i)]
  • Excludes Access Items that End with Birthright (this was the use case I was trying to solve where we want to Revoke Access, where it’s not a role with membership criteria. For this to work, we have to apply a business standard to always name those roles ending in Birthright)
    $.getAccess.accessItems[?(@.name !=~ /Birthright$/i)]
1 Like