Is it possible to exclude certain access-profiles and/or roles in a workflow for revoking access for an identity? The jsonPath is $.getAccess.accessItems; is it possible to extend this to exclude certain birthright roles to prevent the workflow from trying to revoke that access as well (and causing an error).
We want to deprovision all requested access for an identity for a certain LCS while we still need to keep a birthright role on the identity in order for the off-boarding to work correctly for our 2 AD domains. Fetching all access causes the workflow to break as you can’t manually revoke criteria-based access.
Starts with XYZ $.getAccess.accessItems[?(@.name =~ /^XYZ/i)]
Ends with XYZ: $.getAccess.accessItems[?(@.name =~ /XYZ$/i)]
Excludes Access Items that End with Birthright (this was the use case I was trying to solve where we want to Revoke Access, where it’s not a role with membership criteria. For this to work, we have to apply a business standard to always name those roles ending in Birthright) $.getAccess.accessItems[?(@.name !=~ /Birthright$/i)]