Question: How can I ensure the workflow processes all matching identities — not just the first 250? Any guidance or examples would be appreciated.
Context
I’ve built a SailPoint Identity Security Cloud (ISC) workflow that searches for all terminated identities with an active AD account and disables the AD accounts. I’m using a loop to iterate through the identities returned by the search. Find below the workflow image
The issue I’m facing is that while the search query returns over 1000 identities, my workflow only processes a maximum of 250. It appears the loop is only handling a partial set of the search results. Here’s the workflow run succesfully:
@Ade Omololu
To handle this, you should apply a pagination technique. Store the search results in a list and process them in batches — for example, first process identities 1–250, then 251–500, and so on, until all identities are covered. This ensures the loop iterates over the complete set of search results beyond the initial 250
I have done this usecase, in which rather than using get list of identities, (action), i had used a HTTP request to get only limited identities i.e 100 at a time & sorted them based on id.
And then using loop disabled the AD account. Because workflow was able to execute on 100 identities, because we were running a scheduled trigger at one point all the identities AD account was disabled.
Catch is: the get list of identities action will need to be changed to a HTTP Request (action) with the search query endpoint. Limit it to 100 (so that looping can be supported).
As said by @neeraj99 , you can use search API search-post | SailPoint Developer Community using “HHTP Request” to get the list of identities and set the limit of 100(this is the limit of array items from HTTP Request step that can be passed to the loop step) in Query parameters.
As you are using the scheduled trigger, you can increase the frequency of workflow run as per the count.
I’d recommend looking at recursive workflows for your use case. There is a great article here: Recursive Workflows in IdentityNow . The asynchronous example here should meet your use case.
No So the idea here is.
Using search you will be looking for identities whose LCS=disabled(or terminated however it suits) AND @account(Active Directory is enabled).
This will ideally give you all the identities whose AD is enabled but they were in disabled LCS.
Now the idea is these should be disabled & sorting here is just for a reference purpose that disabling of AD happens sequentially not just any identity which is getting indexed on search getting disabled.
So once the search is done worklfow will disable lets say 100 identities AD account. Now as their AD is disabled next time when you run the search it won’t show up there. So it will be always forward looking kind of situation & at end disabling all account.
Thanks for your response, Sid. We have a workflow that is triggered on attribute change. This workflow is should in case AD account was enabled and lifecycle state change took place before AD enabled. Aas such, this workflow I am looking to impliment will handle this scenario
