Filter access request decision

gvscdeep1 · April 12, 2024, 6:50am

Hi All,

We are trying to create a workflow to existing access profiles on an application if someone has requested for an access profile on the same application. The reason behind this being users should only have one group at once.

I am trying to filter out the access requests from access request decision based on the name of access profile, if the request has been approved and if the type of access request is access profile. Is this scenario directly possible in filter section or should I further be using the loop + compare strings?

tushar9625257 · April 12, 2024, 11:37am

Hi Sai,

The best way for this would be to use Segments instead of Workflow, once a user gets an access to end-system, create a custom transform to fetch the user’s access, then under segment you can use a criteria based on the identity attribute and make the access profiles completely invisible to the user so that the user cannot request it at all.

gvscdeep1 · April 12, 2024, 3:11pm

Hey @tushar9625257

The requirement is that the user should be able to request other groups. But should once they request for it, the previous group should be revoked automatically. So, the segments option would not work unfortunately

ipobeidi · April 12, 2024, 3:57pm

hey @gvscdeep1 , how are you?

you can use this trigger to capture the approval decision and them lauch you workflow to remove the access the person have

{
    "accessRequestId":"4b4d982dddff4267ab12f0f1e72b5a6d",
    "requestedBy":{
        "id":"2c91808b6ef1d43e016efba0ce470906",
        "name":"Adam Admin",
        "type":"IDENTITY"
    },
    "requestedFor":{
        "id":"2c91808b6ef1d43e016efba0ce470909",
        "name":"Ed Engineer",
        "type":"IDENTITY"
    },
    "requestedItemsStatus":[
        {
            "approvalInfo":[
                {
                    "approvalComment":" this is an approval comment",
                    "approvalDecision":"APPROVED",
                    "approver":{
                        "id":"2c91808b6ef1d43d016efba0cf470910",
                        "name":"Stephen Austin",
                        "type":"IDENTITY"
                    },
                    "approverName":"Stephen.Austin"
                }
            ],
            "clientMetadata":{
                "applicationName":"My application"
            },
            "comment":"requester comments",
            "description":"Engineering Access",
            "id":"2a91808b6cf1d43e016efba0cf470904",
            "name":"Engineering Access",
            "operation":"Add",
            "type":"ACCESS_PROFILE"
        }
    ]
}

To create the trigger you can so something like this :

"attributes": {
            "filter.$": "$.accountRequests[?(@.provisioningResult=='SUCCESS' && @.source.name == \"APP\")]",
            "id": "idn:post-provisioning"
        }

Let me know the results

tushar9625257 · April 12, 2024, 4:01pm

Then you must use a rule, probably the Services Standard Before provisioning rule, it does exactly what you want to do or if you can write a before operation rule if it’s a Web Service application.

gvscdeep1 · April 14, 2024, 8:35am

Hi @ipobeidi

Thank you for your response. Just to confirm, the filter you mentioned is for “Provisioning Completed” trigger?
I am trying to use something like $.requestedItemsStatus[?(@.name contains “PRISM” && @.type == “ACCESS_PROFILE”)] and also check within the filter if is approved or not
Facing difficulties with it. but trying to set up a compare strings operation to check for the approval status

@tushar9625257, it’s an Entra ID based app, worst case scenarion we shall go with a before prov rule

colin_mckibben · June 4, 2024, 2:53pm

A little late to the party, but you might try this filter expression:

$.requestedItemsStatus[?(@.name contains "PRISM" && @.type == "ACCESS_PROFILE" && @.approvalInfo[*].approvalDecision noneof ['PENDING','REJECTED','EXPIRED','CANCELLED','ARCHIVED'])]

Since there can be multiple approvers in the approval chain for an access profile, you need the noneof to make sure that all of the approval decisions are APPROVED. If any single approval decision is not APPROVED, then the access wasn’t provisioned.

I used this online tool to validate the JSONpath.

https://jsonpath.fly.dev/

system · August 3, 2024, 2:53pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Count Access Profiles in an workflow ISC Discussion and Questions workflows , identity-security-cloud	1	52	August 16, 2024
Filter out Access Profile Request to Certain Users ISC Discussion and Questions identity-security-cloud , access-profiles , access-requests	3	23	November 29, 2024
Search for Access Requests to a specific App ISC Discussion and Questions identity-security-cloud , search	5	53	November 26, 2024
Filter on source for Access Request Decision trigger ISC Discussion and Questions workflows , identity-security-cloud	5	340	May 10, 2024
Approve Access Request Mid-Approval ISC Discussion and Questions workflows , identity-security-cloud	4	285	June 3, 2024

Filter access request decision

Related topics