Filter access request decision

Identity Security Cloud (ISC) ISC Discussion and Questions
, ,
1

Hi All,

We are trying to create a workflow to existing access profiles on an application if someone has requested for an access profile on the same application. The reason behind this being users should only have one group at once.

I am trying to filter out the access requests from access request decision based on the name of access profile, if the request has been approved and if the type of access request is access profile. Is this scenario directly possible in filter section or should I further be using the loop + compare strings?

2

Hi Sai,

The best way for this would be to use Segments instead of Workflow, once a user gets an access to end-system, create a custom transform to fetch the user’s access, then under segment you can use a criteria based on the identity attribute and make the access profiles completely invisible to the user so that the user cannot request it at all.

3

Hey @tushar9625257

The requirement is that the user should be able to request other groups. But should once they request for it, the previous group should be revoked automatically. So, the segments option would not work unfortunately

4

hey @gvscdeep1 , how are you?

you can use this trigger to capture the approval decision and them lauch you workflow to remove the access the person have

{
    "accessRequestId":"4b4d982dddff4267ab12f0f1e72b5a6d",
    "requestedBy":{
        "id":"2c91808b6ef1d43e016efba0ce470906",
        "name":"Adam Admin",
        "type":"IDENTITY"
    },
    "requestedFor":{
        "id":"2c91808b6ef1d43e016efba0ce470909",
        "name":"Ed Engineer",
        "type":"IDENTITY"
    },
    "requestedItemsStatus":[
        {
            "approvalInfo":[
                {
                    "approvalComment":" this is an approval comment",
                    "approvalDecision":"APPROVED",
                    "approver":{
                        "id":"2c91808b6ef1d43d016efba0cf470910",
                        "name":"Stephen Austin",
                        "type":"IDENTITY"
                    },
                    "approverName":"Stephen.Austin"
                }
            ],
            "clientMetadata":{
                "applicationName":"My application"
            },
            "comment":"requester comments",
            "description":"Engineering Access",
            "id":"2a91808b6cf1d43e016efba0cf470904",
            "name":"Engineering Access",
            "operation":"Add",
            "type":"ACCESS_PROFILE"
        }
    ]
}

To create the trigger you can so something like this :

"attributes": {
            "filter.$": "$.accountRequests[?(@.provisioningResult=='SUCCESS' && @.source.name == \"APP\")]",
            "id": "idn:post-provisioning"
        }

Let me know the results

5

Then you must use a rule, probably the Services Standard Before provisioning rule, it does exactly what you want to do or if you can write a before operation rule if it’s a Web Service application.

6

Hi @ipobeidi

Thank you for your response. Just to confirm, the filter you mentioned is for “Provisioning Completed” trigger?
I am trying to use something like $.requestedItemsStatus[?(@.name contains “PRISM” && @.type == “ACCESS_PROFILE”)] and also check within the filter if is approved or not
Facing difficulties with it. but trying to set up a compare strings operation to check for the approval status

@tushar9625257, it’s an Entra ID based app, worst case scenarion we shall go with a before prov rule