I am trying to create a workflow that will create a certification campaign for a list of users whose role codes have changed. I was able to get the workflow test to pass with no issues by using the Get Identity action, but for some reason when I am trying to get a list of identities, the Create Certification action throws me this error :
request failed: 400 - 400 Bad Request.
I messed around with the workflow a bit and moved the certification actions to the false path just so I could get the workflow test to pass, and get the output data from the Get Identities action. But for some reason, it only gives me output relating to one identity, and not the 3-4 I am using as test input data. Here is the JSON path I am using for the Get List of Identities action, which was created from the variable selector. I’m a bit stumped here, and any help would be much appreciated!
Have you tested the workflow with the identities data, which is present in your tenant?
Like try to match the id and name as such in the tenant. Also match the conditions you gave in “compare strings” operator.
Before all these, check once the “compare strings” operator is working good. If not, make use of “verify data type” operator.
I am using test user data we have in our tenant, and all the data looks to be correct. When I use the Get Identity action, the workflow executes perfectly. It’s only when I try using the Get List of Identities that I run into issues. I either get a 400 error at the Create Certification Campaign action, and if I remove the create and activate campaign actions, the output data for Get List of Identities shows me all access objects for only one of the test users, usually its the last of the users in the test input, and not all 3-4 I am inputting. I’ve also checked the compare string operator and that works fine. When my input data doesn’t have a role code change, it takes the false path, when there is a role code change, it takes the true path. The screenshot below is the test input I am using for our test user identities.
That would make sense considering I feel like I’ve tried every possible option lol. Do you know of any possible workaround for this? My main goal is to just get all the identities with a role code change, all into one certification, and then get that campaign over to a Governance Group. We have a lot of movers within our org, so automating this process would be a lot more efficient for our IAM team.
Hi @mosareini, if you want that you need a way to register the change by any form.
IUf your company has the IdentityHistory function you can use the API to search for a attribute change and grab the IDs, and them do whatever necessary.
There can be complex workarounds which involves setting up some Identity attributes with transforms (using $oldvalue, and I am not sure how efficient it is) that could indicate a role_code change and then making use of it in a Search query. But I am not sure if that would be a right approach, considering the fact that you would want to do periodic certifications and the calculations can become more complex.
I would still go with the Identity attribute trigger and the create certification action to generate certifications per user as it is available out of the box.
Would love to hear is anyone has achieved this in a simpler way.
