IDN Workflow remove access request

yordan_novtekov · July 29, 2022, 1:16pm

Hi Team,

I am working on creating a very simple workflow.

Upon lifecycle change, create a remove access request and send notification e-mail.
I am currently stuck on remove access request and I am not able to find a proper example explaining how it needs to be configured, the only one I was able to fine is in the below tread and is not valid:

https://community.sailpoint.com/t5/IdentityNow-Forum/

When I use: $.getAccess.accessItems[?(@.id==“cf432d92f4984298bb9028e37a698b84”)]

I receive:ActivityTaskFailed,“2022-07-29T12:50:53.522343917Z”,“{”“displayName”“:”“Request Access Removal”“,”“error”“:”“request failed: 400 - 400 Bad Request: The request could not be parsed.”“,”“stepName”“:”“requestAccessRemoval”“,”“task”“:”“sp:create-revoke-request”“}”
WorkflowExecutionFailed,“2022-07-29T12:50:53.595585114Z”,“{”“error”“:”“task failed: activity error (type: sp:internal:http, scheduledEventID: 5, startedEventID: 6, identity: 1@01edb5e62932@): request failed: 400 - 400 Bad Request: The request could not be parsed. (type: HTTP Response Returned a Client Error, retryable: false): request failed: 400 - 400 Bad Request”“}”

Assistance on the matter with be highly appreciated.

Br.
Yordan

colin_mckibben · July 29, 2022, 1:32pm

Hi Yordan. Welcome to the developer community!

Looking at the image you provided, that is not a valid JSON path. It’s also not the correct data structure that Manage Access needs to work. Manage Access is intended to be used alongside Get Access. In the Get Access action, you supply a search string to get a list of access items that you want to manage. You then select that list in Manage Access via the variable selector.

Start by configuring Get Access to get a single role using the following configuration:

Then, use the output of Get Access as the input to Manage Access.

yordan_novtekov · July 29, 2022, 1:38pm

Hi Colin,

Thanks for the lightning fast response.

Have a great weekend!

Br.
Yordan

yordan_novtekov · August 2, 2022, 8:27am

Hi Colin,

I did a significant amount of tests regarding the workflow. I tried the remove role exactly as explained in your response, but the workflow appeared to be stuck and did not give any logs. I have a duplicate WF that triggers e-mail notification with the exact same filter, so I know that both workflows are triggered. I reversed the WF to assign an empty role that does not even need approval, however it is still giving me error messages:

ActivityTaskScheduled,“2022-08-02T07:51:29.195719816Z”,“{”“displayName”“:”“Manage Access”“,”“input”“:{”“addIdentities”“:”“2c918085818c0b1d0181908fe25b01c3"”,““comments””:““Add Access””,““removeDuration””:null,““removeIdentity””:““2c918085818c0b1d0181908fe25b01c3"”,”“requestType”“:”“GRANT_ACCESS”“,”“requestedItems”“:null},”“stepName”“:”“manageAccess”“,”“task”“:”“sp:access:manage”“}”

ActivityTaskStarted,“2022-08-02T07:51:29.248512476Z”,“{”“displayName”“:”“Manage Access”“,”“stepName”“:”“manageAccess”“,”“task”“:”“sp:access:manage”“}”

ActivityTaskFailed,“2022-08-02T07:51:29.549916534Z”,“{”“displayName”“:”“Manage Access”“,”“error”“:”“request failed: 400 - 400 Bad Request: Required field "“requestedItems"” was missing or empty. (type: HTTP Response Returned a Client Error, retryable: false): request failed: 400 - 400 Bad Request”“,”“stepName”“:”“manageAccess”“,”“task”“:”“sp:access:manage”“}”

WorkflowExecutionFailed,“2022-08-02T07:51:29.654616439Z”,“{”“error”“:”"actionStep(Manage Access) Error: task failed: activity error (type: sp:access:manage,

Your assistance on the matter will be highly appreciated.

Br.
Yordan

colin_mckibben · August 8, 2022, 3:02pm

A post was split to a new topic: Workflows Manage Access 403 Error when Revoking Access

colin_mckibben · August 8, 2022, 4:50pm

In this particular error, I can see that the requested items is null, which is why you are getting the 400. I think your workflow might be in a bad state. Try building a new workflow from scratch using the configuration that I shared in my images above.

yordan_novtekov · August 10, 2022, 10:42am

I recreated the workflow twice and perform the same test. Manually the role is assigned without approval successfully, however the workflow shows the same error every time. Any help or ideas on the matter will be highly appreciated

TestAccessRequest20220810.txt (1.2 KB)

.

colin_mckibben · August 10, 2022, 3:35pm

I think you’re missing a colon in your search query in GetAccess. It needs to be id:{your id here}"

What error are you receiving with your rebuilt workflow?

yordan_novtekov · August 15, 2022, 7:48am

I don’t know how I missed colon, I intentionally rebuild it twice by looking at your example.
Would be helpful if there were description of the error messages in the documentation which will be help a lot with troubleshooting purposes.

Everything things works now, thank you a lot for the help!

colin_mckibben · November 4, 2022, 1:08pm

A post was split to a new topic: Workflows remove roles on identity termination

Topic		Replies	Views
WorkFlow Remove Access via Manage Access Issue in IdentityNow ISC Discussion and Questions workflows	2	709	July 19, 2023
Workflows: Action "Manage Access" ISC Discussion and Questions workflows , identity-security-cloud	3	782	July 19, 2023
Workflow to bypass access request approval ISC Discussion and Questions workflows , identity-security-cloud , access-requests	2	269	April 21, 2024
Using workflows to send reminder email that your access will be removed and another workflow to revoke access and send email that your access was removed ISC Discussion and Questions workflows , identity-security-cloud	3	435	July 27, 2023
Revoking all access based on identity attribute change ISC Discussion and Questions workflows , identity-security-cloud , access-requests	8	1074	November 5, 2023

IDN Workflow remove access request

Related topics