Filter on source for Access Request Decision trigger

Hi Team,

Regarding the Access Request Decision trigger payload:

There doesn’t seem to exist any identifier for which sourceId that belongs to a specific access object, only “applicationName” which triggers only for access-profiles that are requested via that specific application.

(If I request a stand-alone access-profile from “access items” in request center the workflow doesn’t trigger, even though that access also belongs to the application)

Does anyone have an idea of how to create a workflow with functionality to filter on all access decisions for a specific source? Would be highly appreciated.

My trigger filter as of now:
$.requestedItemsStatus[?(@.clientMetadata.requestedAppName == "appName" && (@.operation =='Add') && (@.approvalInfo.length() == 0 || @.approvalInfo[-1].approvalDecision == "APPROVED"))]

There’s not a great way to do this without more complicated looping actions to check the source for each access profile. Workflow loops are too limited in capabilities to support the kind of looping you would need to do to lookup and match the source for each access profile that could appear in an access request. If you have to stay within workflows, then your best options are:

  • Update your Access profile names to include the source name as the prefix (ex. AD - Admin, AD - User). If you only need to do this for a particular source, then that might not be so bad. Then you can use a filter trigger to match the prefix.
  • Send the access request payload to an external processing service, like AWS Lambda, that can loop through each access profile, use the API to lookup the source ID, and then check for any matches. The Lambda can then respond with a list of access profiles that match the source you are interested in.

Thanks, I think including generic prefix for all APs will work nicely to be fair!

@Swegmann How did you update your filter to take into account the prefix? I’m running into this same use case.

Heya, yes! I’m now using the following filter:

$.requestedItemsStatus[*][?(@.name =~ /XYZ.*?/i&& (@.operation =='Add') && (@.approvalInfo.length() == 0 || @.approvalInfo[-1].approvalDecision == \"APPROVED\"))]

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.