I have to certify specific entitlements identity wise.
Entitlement should have tag as PRD OR it should be part of Source A OR Source B.
First i created an identity attributes changes trigger then getting identity information then used Get Access there using search query to fetch entitlements. Then creating certification campaign and getting access items from previous steps.
Search Query: tags:PRD OR source.name.exact:“Source A” OR source.name.exact:“Source B”
Hello @Amrit1897 , How you will know which Identity you will be certifying as “Identity Attributes Changed“ will trigger for all the identities that has attributes changes? Make sure you use compare strings operator to filter out the identity you are looking for
Use below search query
(source.name:“” OR source.name:“”) AND tags:“”
Also, make sure you have selected only “Get Entitlements“ option in the get access step
I don’t think the “Create Certification Campaign” has the option to the filter down the access like you mentioned for single identities. You could select an identity certification, but that would certify all the access the identity has.
To accomplish what you want, instead of the “Create Certification Campaign”, use an HTTP call to the create certification campaign endpoint instead and pass in the required search filter and Identity you want to certify.
Make sure you use compare strings operator to filter out the identity you are looking for - It is there already
Also, make sure you have selected only “Get Entitlements“ option in the get access step - This is also in place
Understandable! I’d like to see if anyone has a workaround to get this to work with the OOTB “Create Certification Campaign” step. As far as I know, your use case is not possible with that step.
Considering you are filtering the identity for which you want to create campaign using filter in “Identity Attribute Changed“ trigger, now this trigger will give you the output of identity that you want to certify.
You can use this search and see if it woks.
id:{{$.trigger.identity.id}} AND @access(source.name:“” OR source.name:“”) AND tags:“”
As per test workflow, it takes entitlement returned from query into consideration.
Then with identity certification and $.trigger.identity.id it process only for an identity.
I don’t believe that you can do what you are asking with the OOTB options. When you create a Search Campaign in the UI as IDENTITY or ACCESS, the query used gets all items that come from that, then the second step allows you to choose All Returned Items or Specifically Selected Items to further filter the results. It is this second part that does not appear to be available in the OOTB step that would allow you to do what you want (either Select the user with the query, then limit the access to the items, or select the Access, then limit to the single user. )
I would like to echo what others have stated, in that making an HTTP Request call to the Create Campaign Endpoint may be the simplest option. I would first see if you can create a campaign manually from Search and see if you can get the results that you want. This will allow you to use that campaign as an example for creating a new one. Using the HTTP Request step and the API can still be considered OOTB, as all aspects are provided by SailPoint, it just requires some extra knowledge for configuring the HTTP Requests.
If you can create the campaign through the Search UI to do what you want, then we should be able to help you put together the steps needed to have it done through a workflow.
