I would appreciate some help or advice on if it’s possible to generate a SNOW ticket for Role Composition Certification.
Scenario:
We are working on automating some tasks by integrating CyberArk (using the Privilege ID’s) and SailPoint and would like the owner of the ID’s in the CyberArk vault to do an attestation for the ID’s they own in the vault (a flat file source will be used for the CyberArk Privilege ID details). We were trying to achieve this by creating Role Compositions with the related entitlements for each owner and have them do an attestation for same, but when we do testing and revoke an entitlement, it only creates a remediation task for the remediation owner; we would however like a ticket to be generated based on the case below.
Case :
The owner should be able to take the below actions:
Revoke (Change Owner) – Ownership of the Privileged ID should be changed to another person. (Ticket required).
Revoke (No longer required) – The Privileged ID should be deleted from the environment and CyberArk. (Ticket required).
Does anyone have any experience with this use case? Or do you think this is possible to generate a ticket even with a workflow?, if so, what would be the trigger? As we don’t want it to generate a ticket for all certification signoff but just for the specific role composition certifications.
Which would trigger when a user signs off on their certification of a role composition cert. This works fine and is as expected with role comp certs.
I think the blocker will be programmatically getting the details of the certification decisions in the workflow. This is trivial with identity certifications with endpoints like v2025/certifications/:id/access-review-items but these only support identity certifications.
You could use the certification reports and the v2025/reports/:taskResultId - but you would need to process that outside of a workflow.
So I would recommend building a workflow with that trigger, generating the report, and then passing that ID to something like an Azure Function to process and then you can open ServiceNow tickets from that Azure Function, or have the Azure Function call another SailPoint workflow to open the tickets with the ServiceNow ticket action.
Thanks for the quick response Alex. I don’t know much about Azure but I’m happy for the recommendations; I will certainly look into this with the team and see what we can leverage from it.
I agree that using the certification sign-off trigger to invoke an Azure Function—which parses the payload, filters for role-composition campaigns only, and then creates the appropriate ServiceNow ticket—is a good approach.
Unfortunately, you’ll find that you have far more flexibility if you implement this logic outside of ISC instead of using workflows.
As an alternative to an azure function, you can also create a scripted REST endpoint in your ServiceNow instance that can parse the payload and decide whether or not it needs to create a ticket. One less tool in the process