Help with a workflow to disable “stale” AD accounts

I am working on building a workflow that looks at an identity attribute we have set to determine how long it’s been since an AD account has been used. The workflow triggers when that attribute changes to 45Past the workflow triggers and the idea is to have to workflow

• Determine if the AD account is active. If not, the workflow ends.
• Send a form to a user to verify that we want the account disabled.
• If the form is approved, then disable the account.
  I have the trigger working and I am able to get the identity and the AD account attributes passed from the trigger. But having an issue with the compare strings operator to determine if the account is active or not. Any idea what I am doing wrong?
  Here is the compare strings set up.
  compareString.docx (46.0 KB)

Here is the sanitized step input. I just removed a bunch of Identity and Account attributes.

{
  "compareStrings": {
    "ChoiceList": [
      {
        "Comparator": "StringEquals",
        "NextStep": "Compare Strings 1",
        "VariableA.$": "$.hTTPRequest.body[0].disabled",
        "VariableB": "true"
      }
    ],
    "DefaultStep": "End Step - Success",
    "Description": "Is the account already disabled?",
    "DisplayName": "Compare Strings: AD Enabled?",
    "Name": "Compare Strings",
    "SelectInput": "$",
    "SelectOutput": "$",
    "SelectResult": "$",
    "Type": "choice"
  },
  "defineVariable": {
    "clientID": "24965e799ef043e98ceb3494311f846f",
    "https://promedica-sb.identitynow.com/": "https://company7833-poc.api.identitynow-demo.com",
    "webhookURL": "https://webhook.site/5ab885b3-8c63-4897-ba7c-728ceecf429b"
  },
  "getIdentity": {
    "alias": "2000952",
    "attributes": {
      "adDn": "CN=Dorn\\, Abbigail,OU=Student,OU=Non-ProMedica,OU=Users,OU=ProMedica,DC=test,DC=promedica,DC=org",
      "workingRemote": "N",
      "workingRemotes": null
    },
    "created": "2023-03-21T16:40:35.925Z",
    "emailAddress": "No Email on File",
    "id": "352e2571c40f4173bd3486540b046af7",
    "identityStatus": "UNREGISTERED",
    "isManager": false,
    "lastRefresh": "2025-06-11T13:03:18.163Z",
    "lifecycleState": {
      "manuallyUpdated": false,
      "stateName": "active"
    },
    "managerRef": null,
    "modified": "2025-06-11T13:03:18.662Z",
    "name": "Dorn, Abbigail(DR44745)",
    "processingState": null
  },
  "hTTPRequest": {
    "body": [
      {
        "attributes": {
          "NetBIOSName": null,
          "accountFlags": [
            "Normal User Account"
          ],
          "cn": "Dorn, Abbigail",
          "userPrincipalName": "DR44745@test.promedica.org",
          "whenChanged": "20250610204132.0Z"
        },
        "authoritative": false,
        "cloudLifecycleState": "active",
        "connectionType": "direct",
        "created": "2023-10-02T23:09:56.735Z",
        "description": null,
        "disabled": false,
        "ownerGroup": null,
        "ownerIdentity": null,
        "recommendation": null,
        "sourceId": "2c918087846385ee01847c5747c90a5f",
        "sourceName": "test.promedica.org",
        "sourceOwner": {
          "id": "2c9180867f4b899a017f4c70fda8704d",
          "name": "Scott Coleman",
          "type": "IDENTITY"
        },
        "systemAccount": false,
        "type": null,
        "uncorrelated": false,
        "uuid": "{12c7ca7a-651e-4892-be31-11a5946431b0}"
      }
    ],
    "headers": {
      "Content-Type": [
        "application/json;charset=utf-8"
      ]
    },
    "responseTime": "0.422631 seconds",
    "statusCode": 200
  },
  "hTTPRequest1": {
    "body": "success",
    "headers": {
      "Content-Type": [
        "text/html; charset=UTF-8"
      ]
    },
    "responseTime": "0.357975 seconds",
    "statusCode": 200
  },
  "hTTPRequest2": {
    "body": "success",
    "headers": {
      "Content-Type": [
        "text/html; charset=UTF-8"
      ]
    },
    "responseTime": "0.374312 seconds",
    "statusCode": 200
  },
  "trigger": {
    "changes": [
      {
        "attribute": "phsiAdStatus",
        "newValue": "Active",
        "oldValue": "180DaysPast"
      }
    ],
    "identity": {
      "id": "352e2571c40f4173bd3486540b046af7",
      "name": "2000952",
      "type": "IDENTITY"
    }
  }
}

Here is output from jsonpathfinder.com
jsonpathfinder.docx (50.3 KB)

It looks like I have the right JSON path expression in the compare string but the workflow is returning false.
outputFalse.docx (69.5 KB)

Any suggestions on what I am doing wrong?

JSON Path expression looks fine to me. Instead of “equals”, can u try using “contains” and see if it works?

I just tried with “contains” and it does the same thing and goes down the false path. The value is false so contains should be true.

I also tried the JSON Path Evaluator on the developer site. SailPoint Developer Community and it says that the value is false.

Here, you are checking if the disabled property is equal to the string true.

"ChoiceList": [
  {
    "Comparator": "StringEquals",
    "NextStep": "Compare Strings 1",
    "VariableA.$": "$.hTTPRequest.body[0].disabled",
    "VariableB": "true"  // <--- The original value
  }
],

This logic asks the question: “Is the account disabled?” If yes, it proceeds. This is the opposite of what you want.

The Corrected Code

Here, you are checking if the disabled property is equal to the string "false".

"ChoiceList": [
  {
    "Comparator": "StringEquals",
    "NextStep": "Send Approval Form",
    "VariableA.$": "$.hTTPRequest.body[0].disabled",
    "VariableB": "false" // <--- The corrected value
  }
],

This new logic asks the question: “Is the account active?” (because disabled: false means it’s active). If yes, it proceeds to the approval step. This matches the goal of your workflow.

Fred i have tried both true and flase on the compare strings on the compare strings to see if the account is disabled. Either way it goes down the false path and ends the workflow.

@swcoleman Can you check what value actually "$.hTTPRequest.body[0].disabled", is giving? You can check using send email action, just put the variable "$.hTTPRequest.body[0].disabled", in email body and check

Have you tried a Boolean comparison?

{
  "compareBooleans": {
    "Type": "choice",
    "Description": "Is the account active (not disabled)?",
    "DisplayName": "Compare Booleans: Is AD Active?",
    "ChoiceList": [
      {
        "Comparator": "BooleanEquals",
        "VariableA.$": "$.hTTPRequest.body[0].disabled",
        "VariableB": false, 
        "NextStep": "Send Approval Form"
      }
    ],
    "DefaultStep": "End Step - Account Already Disabled"
  }
}

Hi @swcoleman

Try using the ‘Compare Boolean’ operator instead of ‘Compare Strings’ operator and the workflow should work as expected.

Here’s the JSON code for the Boolean part if you can include this in your workflow.

"Compare Boolean": {
				"actionId": "sp:compare-boolean",
				"choiceList": [
					{
						"comparator": "BooleanEquals",
						"nextStep": "HTTP Request",
						"variableA.$": "$.hTTPRequest.body[0].disabled",
						"variableB": true
		
			}
],

Give it a try and let me know if it works.

@JackSparrow that’s a great idea. When i do that i just get the variable text in the email not the value of the variable. I also don’t see the $.hTTPRequest.body[0].disabled in the input to the “send email” step.

@nhassan that seems to have been the issue. Since it’s a boolean value i needed to use the boolean compare.

@JackSparrow i am curious though why the emailing the variable didn’t work. I am going to try that on another step. I like that better than sending data to webhook.site. to see what is being sent.

@swcoleman, Could you help me with the complete workflow JSON by masking sensitive info?

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.