I was wondering if it might be possible to somehow capture additional information with additional fields when an access request is submitted. For example, I’m looking to start providing just-in-time access for when members of the infosec team need Domain Access to perform certain work. Easy enough, they submit an Access Request (with required end dates), and, after approval, access is auto provisioned and later removed. However, it was requested that I provide a field to capture CHG number(s). The request is nit-picky, I understand, since there’s already a Business Justification field that can capture this, but I thought it might be easy, turns out no-so-much, to send a Form to the Requestor requesting this information, and then to append this information to the Comment field so it is visible to the Reviewers.
The problem I ran into, almost immediately, is a filter cannot be applied, at least not in the UI, to the Access Request Submitted trigger. I only want to send the Form when the Domain Admins - Active Directory (AD) Access Profile is requested.
may be we can work with workflow if domain admins present pop up form in workflow that displays chg number required, instead of appending comments reviewer need to chg number
Thanks. Unfortunately, I haven’t been able to figure out how to send an email to the approvers prior to the approvers being established. The idea is to send the input CHG number to the approvers in the approval policy before they perform the approvals, but in order to do that the send email action has to be before the approval policy action, but the Approvers array isn’t established until after the approval policy action (I don’t know if that makes sense).
Hi @pillar224
The access request submitted trigger does not allow filter but “Compare Strings” can be used after trigger to check $.trigger.requestedItem.name equals Domain Admins - Active Directory (AD) Access Profil, if true then transition to “Form” otherwise “End”
Adding to the use case: I don’t see any workflow action or API to update an already submitted access request. As a workaround, once we capture the CHG number via the Form, we can use the accessRequestId from the trigger to cancel the request using Cancel Access Request API and then resubmit it using the Submit Access Request API, post which approval policy and other things can be used as required.
The caveat is that cancelling triggers the OOTB ‘Access Request Cancelled’ email to the requester, to avoid that just add some if else condition in the subject line to stop the “Access Request Cancelled” email when the access item is Domain Admins - Active Directory (AD) Access Profile
