Help in creating a costum workflow with a dynamic approver

s_tartaglione · March 27, 2025, 10:29am

I have a requirement in which I have to determine a dynamic approver based on “tags” that are attached on access item as Role and Access profile, as example I want to redirect the approve request do Governance group TAG1 if the acces profile has the TAG1. I’m using a workflow with an external trigger that is linked to the Dynamic approver event trigger, and I follwed this guide. I’m using the API get tagged object that helps me to read the tags of the object that I’m receiving from the EXTERNAL trigger:

This is the HTTP Request 1 block, in which I want to retrieve the object with the tags.

as Request URL parameters I put:

id : $trigger.startInvocationInput.requestedItems.id
type: $trigger.startInvocationInput.requestedItems.type

But it looks like doesn’t work, I don’t know why. After that block, if it work i will attach a loop to iterate over the tags and sends than the request to the proper governance group, but this piece is not included yet. The HTTP Request block is the final block that now is set to a governance group, but i will change, I put it only for testing the HTTP request 1 block:

Anyone experienced with workflow can help me pls?

JackSparrow · March 27, 2025, 10:52am

Hi @s_tartaglione ,

Can you try below? I do see requestedItems is an array

id : $trigger.startInvocationInput.requestedItems[0].id
type: $trigger.startInvocationInput.requestedItems[0].type

s_tartaglione · March 27, 2025, 10:57am

Thanks, i changed these fields, but it looks like that is not able to perform the HTTP call due to an authorization problem, this is the execution of the workflow:

type,timestamp,attributes
WorkflowExecutionStarted,"2025-03-27T10:55:36.434475559Z","{""input"":{""_metadata"":{""callbackURL"":""https://partner11902.api.identitynow-demo.com/beta/trigger-invocations/801db3ae-f9df-44b9-a958-34d2b7639cfb/complete"",""responseMode"":""async"",""secret"":""98321b91-5a2e-40eb-9396-34f851baae33"",""triggerId"":""idn:access-request-dynamic-approver"",""triggerType"":""requestResponse""},""accessRequestId"":""086cab2dd3f44f89bf74a5560a8ba0a2"",""requestedBy"":{""id"":""991a7a89b20c43528aedd62e5ae2af43"",""name"":""s.tartaglione"",""type"":""IDENTITY""},""requestedFor"":{""id"":""991a7a89b20c43528aedd62e5ae2af43"",""name"":""s.tartaglione"",""type"":""IDENTITY""},""requestedItems"":[{""assignmentContext"":null,""comment"":null,""description"":""Questo Access Profile ti da il gruppo Entra: TestGroup3"",""id"":""40bb5595af7c4c8f810e3a20f4bce43f"",""name"":""AD Liquid Access Profile Test Group 3"",""operation"":""Add"",""type"":""ACCESS_PROFILE""}]}}"
ActivityTaskScheduled,"2025-03-27T10:55:36.542955377Z","{""displayName"":""HTTP Request 1"",""input"":{""authenticationType"":null,""basicAuthPassword"":null,""basicAuthUserName"":null,""csvRequestBody"":null,""formRequestBody"":null,""headerAuthName"":null,""headerAuthValue"":null,""jsonRequestBody"":{""secret"":""98321b91-5a2e-40eb-9396-34f851baae33""},""method"":""get"",""oAuthClientId"":null,""oAuthClientSecret"":null,""oAuthCredentialLocation"":null,""oAuthScope"":null,""oAuthTokenUrl"":null,""requestContentType"":""json"",""requestHeaders"":null,""suppliedInlineExpression"":{""jsonRequestBody"":""{\""secret\"":\""{{$.trigger._metadata.secret}}\""}""},""textRequestBody"":null,""url"":""https://partner11902.api.identitynow-demo.com/v3/tagged-objects/:type/:id"",""urlParams"":{""id"":""$trigger.startInvocationInput.requestedItems[0].id"",""type"":""$trigger.startInvocationInput.requestedItems[0].type""},""xmlRequestBody"":null},""stepName"":""hTTPRequest1"",""task"":""sp:http"",""technicalName"":""HTTP Request 1""}"
ActivityTaskStarted,"2025-03-27T10:55:36.542994843Z","{""attempts"":1,""displayName"":""HTTP Request 1"",""stepName"":""hTTPRequest1"",""task"":""sp:http"",""technicalName"":""HTTP Request 1""}"
ActivityTaskFailed,"2025-03-27T10:55:36.616246474Z","{""displayName"":""HTTP Request 1"",""error"":""request failed"",""stepName"":""hTTPRequest1"",""task"":""sp:http"",""technicalName"":""HTTP Request 1""}"
WorkflowExecutionFailed,"2025-03-27T10:55:36.642114674Z","{""error"":""task failed: activity error (type: sp:external:http:v2, scheduledEventID: 5, startedEventID: 6, identity: 1@sp-workflow-worker-internal-648c9b76-wfhmw@sp-workflow-engine): request failed (type: HTTP Response Returned a Client Error, retryable: false): request failed: 401 - 401 Unauthorized - {\""error\"":\""JWT is required\""}""}"

I’m not understading why isn’t working since I’ve putted in the body the secret retrieved from the trigger.

JackSparrow · March 27, 2025, 11:13am

@s_tartaglione , In “HTTP Request 1” you are calling SailPoint APIs. Hope you have generated PAT token and provided ClientID and secret.

s_tartaglione · March 27, 2025, 11:20am

Now I’ve generated the PAT token and the client ID and client secret, but when I’m selecting as authentication type OAuth2 it is asking client ID, client secret and Token URL, but I have the token itself not the token URL

JackSparrow · March 27, 2025, 11:23am

Token URL will be

https://tenant.api.identitynow.com/oauth/token

s_tartaglione · March 27, 2025, 11:26am

Thanks, now the authentication works, but it seems like that the HTTP request 1 block is failing again:

type,timestamp,attributes
WorkflowExecutionStarted,"2025-03-27T11:24:51.229341371Z","{""input"":{""_metadata"":{""callbackURL"":""https://partner11902.api.identitynow-demo.com/beta/trigger-invocations/82e18d6a-cc20-4bd5-920f-73e5bede0578/complete"",""responseMode"":""async"",""secret"":""d2410499-3e92-4f8b-94ce-69686a60dc8c"",""triggerId"":""idn:access-request-dynamic-approver"",""triggerType"":""requestResponse""},""accessRequestId"":""7fd81bceeae84abba0882e615fc4b57e"",""requestedBy"":{""id"":""991a7a89b20c43528aedd62e5ae2af43"",""name"":""s.tartaglione"",""type"":""IDENTITY""},""requestedFor"":{""id"":""9088ba74998d4ff4976b8a46b4faffd8"",""name"":""12121"",""type"":""IDENTITY""},""requestedItems"":[{""assignmentContext"":null,""comment"":null,""description"":""Questo Access Profile ti da il gruppo Entra: TestGroup3"",""id"":""40bb5595af7c4c8f810e3a20f4bce43f"",""name"":""AD Liquid Access Profile Test Group 3"",""operation"":""Add"",""type"":""ACCESS_PROFILE""}]}}"
ActivityTaskScheduled,"2025-03-27T11:24:51.318703651Z","{""displayName"":""HTTP Request 1"",""input"":{""authenticationType"":""OAuth"",""basicAuthPassword"":""$.secrets.d02e2b15-4309-4d23-ac85-7aa9cf00b6df"",""basicAuthUserName"":""s.tartaglione"",""csvRequestBody"":null,""formRequestBody"":null,""headerAuthName"":null,""headerAuthValue"":null,""jsonRequestBody"":{""secret"":""d2410499-3e92-4f8b-94ce-69686a60dc8c""},""method"":""get"",""oAuthClientId"":""6475e894615a46c8950f620398ea673c"",""oAuthClientSecret"":""$.secrets.9f3d54cb-7b9b-40f7-a740-758205bb0cbc"",""oAuthCredentialLocation"":""oAuthInBody"",""oAuthScope"":null,""oAuthTokenUrl"":""https://partner11902.api.identitynow-demo.com/oauth/token"",""requestContentType"":""json"",""requestHeaders"":null,""suppliedInlineExpression"":{""jsonRequestBody"":""{\""secret\"":\""{{$.trigger._metadata.secret}}\""}""},""textRequestBody"":null,""url"":""https://partner11902.api.identitynow-demo.com/v3/tagged-objects/:type/:id"",""urlParams"":{""id"":""$trigger.startInvocationInput.requestedItems[0].id"",""type"":""$trigger.startInvocationInput.requestedItems[0].type""},""xmlRequestBody"":null},""stepName"":""hTTPRequest1"",""task"":""sp:http"",""technicalName"":""HTTP Request 1""}"
ActivityTaskStarted,"2025-03-27T11:24:51.318746243Z","{""attempts"":1,""displayName"":""HTTP Request 1"",""stepName"":""hTTPRequest1"",""task"":""sp:http"",""technicalName"":""HTTP Request 1""}"
ActivityTaskFailed,"2025-03-27T11:24:52.531837055Z","{""displayName"":""HTTP Request 1"",""error"":""request failed"",""stepName"":""hTTPRequest1"",""task"":""sp:http"",""technicalName"":""HTTP Request 1""}"
WorkflowExecutionFailed,"2025-03-27T11:24:52.555786624Z","{""error"":""task failed: activity error (type: sp:external:http:v2, scheduledEventID: 5, startedEventID: 6, identity: 1@sp-workflow-worker-internal-648c9b76-89qmk@sp-workflow-engine): request failed (type: HTTP Response Returned a Client Error, retryable: false): request failed: 400 - 400 Bad Request - {\""detailCode\"":\""400.1 Bad request content\"",\""trackingId\"":\""795865879e15433f9ed08b310001c8aa\"",\""messages\"":[{\""locale\"":\""en-US\"",\""localeOrigin\"":\""DEFAULT\"",\""text\"":\""The request was syntactically correct but its content is semantically invalid.\""},{\""locale\"":\""und\"",\""localeOrigin\"":\""REQUEST\"",\""text\"":\""The request was syntactically correct but its content is semantically invalid.\""}],\""causes\"":[]}""}"

s_tartaglione · March 27, 2025, 4:49pm

it seems like that I have problems in using the filters for this kind of trigger, anyone experienced can guide me to the right path to use for taking the “type” and the “id” of the access item that I requested and that is captured by the dynamic approval event trigger?

JackSparrow · March 28, 2025, 3:47am

@s_tartaglione Can I know what is the request URL you are calling in HTTP Request 1?

s_tartaglione · March 28, 2025, 8:36am

Yes I can give you all the parameters:

Request URL: https://tenant.api.domain.com/v3/tagged-objects/:type/:id
id: $.trigger.startInvocationInput.requestedItems[0].id
type: $.trigger.startInvocationInput.requestedItems[0].type
Method: GET

JackSparrow · March 28, 2025, 11:48am

From docs, I do see below is the input to the trigger.

{
  "accessRequestId": "4b4d982dddff4267ab12f0f1e72b5a6d",
  "requestedFor": {
    "type": "IDENTITY",
    "id": "2c91808568c529c60168cca6f90c1313",
    "name": "William Wilson"
  },
  "requestedItems": [
    {
      "id": "2c91808b6ef1d43e016efba0ce470904",
      "name": "Engineering Access",
      "description": "Engineering Access",
      "type": "ACCESS_PROFILE",
      "operation": "Add",
      "comment": "William needs this access for his day to day job activities."
    }
  ],
  "requestedBy": {
    "type": "IDENTITY",
    "id": "2c91808568c529c60168cca6f90c1314",
    "name": "Billy Bob"
  }
}

So, it should be as below. Not sure if this resolves your issue. If not, I’ll try to replicate the same in my env and update you

id: $.trigger.requestedItems[0].id
type: $.trigger.requestedItems[0].type

s_tartaglione · March 28, 2025, 1:31pm

I tried again with these kind of input but the error is the same in the workflow

JackSparrow · March 31, 2025, 6:33am

Hi @s_tartaglione ,

I tried and below is working for me. Give a try and let me know the outcome.
We need to pass the variables in the URL than passing them as param variables.

https://bbw-sb.api.identitynow.com/v2024/tagged-objects/{{$.trigger.requestedItems[0].type}}/{{$.trigger.requestedItems[0].id}}

s_tartaglione · March 31, 2025, 7:45am

Hi, thanks for your responses, It works !!! Thank you! But how I can recognize when to pass the variables in the URL and when to pass them as request parameters?

JackSparrow · March 31, 2025, 10:53am

I tried to pass them as variables in request param, but it doesn’t work. Not sure about the reason. Same works in Postman