Hi
I have a requirement to create a workflow like this:
The part where I have a doubt is how to remove the groups that start with “AD-CA-” ?
Regards
Arshdeep
You would need to use loop operator to iterate through all the entitlement that user has on source and then use a compare string operator to identify if entitlement name starts with “AD-CA” and then remove via access request action.
Note: I would recommend to use before provisioning rule or native rules (connector after modify) of AD to achieve this as it will be a lot easier to do it than on workflow.
Try this JSON path to remove all the access starting with “AD-CA-”
$.getAccess.accessItems[?(@.name =~ /^AD-CA-/)]
P.S the below image on where and how this has been added.
Hope this helps…
@neeraj99 thanks for your response.
Would this not give an inaccurate result in case the user’s entitlements are more than 250?
Thanks for your response @Anshu_Kunal . Would the loop work for more than 250 entitlements. I have seen in the documentation that there is a limit for 250 entitlements usually for some REST APIs. Is it the same for loop?
@arshdeep_thapar yes, there is a limit in loop also.
For example, if the first step in your loop is Manage Access, select an array of access items such as the
accessItemsobject returned by the Get Access step. The array you select can contain no more than 100 items. If an item in this list is larger than 512KB, that item will fail when the loop is executed.
thanks Anshu for your response. I think SailPoint should come up with a way if the entitlement list is huge. How to run a loop over that. That’s my doubt.
@arshdeep_thapar
You may want to take a look at this thread
