Filtering AD Group Removals in Provisioning Complete Workflow

Please be sure you’ve read the docs and API specs before asking for help. Also, please be sure you’ve searched the forum for your answer before you create a new topic.

Hi Experts,

I’m looking for some guidance around filtering AD group data within a workflow in ISC.

Background

In our tenant, we have a large Active Directory source containing tens of thousands of AD groups.

As part of our application provisioning process, we’ve implemented ISC workflows that generate a ServiceNow ticket for a support team whenever access is added or removed. This is handled using the Provisioning Complete trigger, with a JSONPath expression to limit when the workflow executes.

Some applications are relatively simple (1–3 AD groups), while others are more complex (30+ AD groups).

The Problem

The issue arises during certification campaigns. When managers request the removal of multiple AD groups for a user, ISC sends all associated AD group removals within the deprovisioning request payload.

As a result, all AD groups are passed into the workflow and the downstream support teams receive tickets containing AD groups that are not relevant to their specific application.

Ideally, we only want the support team to see the AD group names that relate to their application—not every group included in the overall deprovisioning request. IE: What is in the JSONPath expression criteria.

We are currently using a JSONPath filter similar to the below for the input filtering:

$.accountRequests[?( @.source.name == "Active Directory")].attributeRequests[?((@.attributeValue contains "SG-Role-General-Users" || @.attributeValue contains "SG-Role-Admin-Users") && @.operation == "Remove")]

In the Manage ServiceNow ticket we have tried a few different ways to filter them out but that is very hit and miss.

Role: {{$.trigger.accountRequests[0].attributeRequests[0].attributeValue}}

Have also looked at Define Variable action inside and outside a Loop operation and trying to regex the data into a variable.

Any suggestions, examples, or design patterns would be greatly appreciated.

Thanks in advance!

Hi @IanHarte

Are you trying to add a filter based on application names as all the AD groups are from single AD source? For example, when multiple AD groups are grouped under a single application and the provisioning‑completed trigger fires, you want the filter to detect which application it belongs to?

Hi Ian,

In the servicenow ticket space in the workflow change from your existing Role: to “Please remove the following application roles: {{$.hsu.filteredGroups}}" . This ensures whatever you have filtered will only be passed into service now tikcet.

here filteredGroups is the variable name on which you can use your JSONpath filter and store only the AD groups that you want to remove.

Hi Priya,

The filter criteria are based off of an application RBAC design, but we can’t not use names as that detail doesn’t not come through in the workflows trigger - only the AD group names. We have at this stage 50+ workflows for AD group based applications with various numbers of groups in each.

When the application workflow is triggered, we need it to send the ServiceNow ticket to a desired ServiceNow queue for the applications support team to finalise the work. And this is where the AD groups from the criteria need to be seen.

When it comes to ADD access, the workflows are working fine as the provisioning create/add object contains only the specific Access Profiles / AD Groups that were requested.

Hi Rahul

What is the HSU portion of the variable?

@IanHarte Thanks for explaining!

I see, the app names won’t appear in the trigger, is there any common property between the accesses clubbed as an application,wherein you can use the access name which appears in the trigger for “Get Access” and get that property to understand their application?

The AD Group entitlements will belong to an Access Profile which has strong naming standards like:- Application - Application Role - Environment

Yes, we can find the application the groups below to with a search as an example.

But the issue is more the filtering of the groups or access profile names from the overall list of groups and collecting that into a list for passing on to the next team.

Using a REGEX type check in the workflow will trigger true if any of the needed AD groups are found in the Provisioning Completed object. We might be looking for 2 groups but in the certification removals 100 AD groups come through to remove. This means they get too much information for applications that are of outside of their remit.

The Provisioning Completed trigger sends lists/arrays for the same source which means we need to use the Loop. When using the Loop, we can define a variable, but we can only use it within the Loop. We don’t want to send multiple ServiceNow tickets to teams to say remove role 1, role 2, role 3 etc