Filter for Provisioning Completed trigger workflow

jasmedina · November 19, 2024, 9:06pm

Hi All,

We have a requirement to send an email to the admins once a specific entitlement has been added to the user via access request. For our workflow, we are using the Provisioning Completed trigger for this. What would be the filter query to only filter out that specific entitlement from a given source?

This is my initial filter but was not successful in triggering the workflow

$.accountRequests[?( @.provisioningResult == ‘SUCCESS’ && @.source.name ==‘Source_name’)].attributeRequests[?(@.operation == ‘Add’ && @.attributeValue == ‘Entitlement_Name’ )]

vkashat · November 19, 2024, 10:29pm

Hi @jasmedina !

So I looked at the documentation of the workflow triggers and using the Provisioning Completed sample JSON (updated with the simpler test values you used in your example), I have this JSON:

{
    "trackingNumber":"4b4d982dddff4267ab12f0f1e72b5a6d",
    "action":"IdentityRefresh",
    "requester":{
        "id":"2c91808b6ef1d43e016efba0ce470906",
        "name":"Adam Admin",
        "type":"IDENTITY"
    },
    "recipient":{
        "id":"2c91808b6ef1d43e016efba0ce470909",
        "name":"Ed Engineer",
        "type":"IDENTITY"
    },
    "errors":[
        "General Error",
        "Connector AD Failed"
    ],
    "warnings":[
        "Notification Skipped due to invalid email"
    ],
    "sources":"Corp AD, Corp LDAP, Corp Salesforce",
    "accountRequests":[
        {
            "source":{
                "id":"4e4d982dddff4267ab12f0f1e72b5a6d",
                "name":"Source_name",
                "type":"SOURCE"
            },
            "accountId":"CN=example,ou=sample,ou=test,dc=ex,dc=com",
            "accountOperation":"Modify",
            "provisioningResult":"committed",
            "provisioningTarget":"Corp AD",
            "ticketId":"72619262",
            "attributeRequests":[
                {
                    "operation":"Add",
                    "attributeName":"memberOf",
                    "attributeValue":"Entitlement_Name"
                }
            ]
        }
    ]
}

I used this filter expression:

$.accountRequests[?(@.source.name == "Source_name" && @.provisioningResult == "committed" && @.attributeRequests[0].operation == "Add" && @.attributeRequests[0].attributeValue== "Entitlement_Name")]

It seems to work, I’m using the JSON path evaluator at this link: SailPoint Developer Community

Hope that helps!

jasmedina · November 21, 2024, 8:49am

Hi @vkashat! Tried this but didn’t work. Also tried to substitute the Entitlement_Name to Access_Profile_Name as we are trying to provision the access profile, but it also didn’t work

jesvin90 · November 21, 2024, 12:57pm

Hi @jasmedina,

Try adding a “committed” also to your result status check and see if it works.

$.accountRequests[?((@.provisioningResult == 'committed' || @.provisioningResult == "SUCCESS") && @.source.name =='Source_name')].attributeRequests[?(@.operation == 'Add' && @.attributeValue == 'Entitlement_Name')]

liamkokeeffe · November 21, 2024, 3:31pm

Hi @jasmedina,

We have a similar requirement and are using the below JSON filter.

$.accountRequests[*].attributeRequests[?(@.source.name == "<Source_Name>" && @.operation == "Add" && @.attributeValue == "<Entitlement_Value>")]

Let me know if that works!

Thanks,

Liam

jasmedina · November 21, 2024, 6:26pm

Hi Liam, tried this but also didnt work. Conrollership_Interactor_testing entitlement is inside an access profile

$.accountRequests[*].attributeRequests[?(@.source.name == 'XXX - XXX Training Site' && @.operation == 'Add' && @.attributeValue == 'Controllership_Interactor_testing')]

jasmedina · November 21, 2024, 6:27pm

This didnt trigger either

iamnithesh · November 21, 2024, 7:47pm

Can you share the output from the trigger step when you tested the workflow?