Inquiry Regarding Workflow Error for Access Profile Retrieval

I am reaching out to discuss an issue we are currently facing with our workflow designed for the retrieval of access profiles.

As part of our system’s security and management protocols, we have implemented a workflow that automatically retrieves access profiles once a user’s status becomes either inactive or terminated. This process has been functioning effectively; however, we have encountered a significant challenge.

When the number of access profiles to be retrieved surpasses 200, the workflow results in an error, preventing us from retrieving the access profiles as intended. This limitation is impacting our ability to maintain our system’s security and efficiency.

Could you please provide any advice or solutions that could help us overcome this challenge? Any guidance on optimizing our workflow to handle larger volumes of access profiles without encountering errors would be greatly appreciated.

Thank you for your time and assistance. I look forward to your valuable insights.

1 Like

Hi @joyoon00 ,

Loop has a restriction of only 100 iterations. The operation you are intending to perform inside the loop is not very clear. Can you let us know what is the error that you faced?

If your intent is to revoke the access profiles assigned to the user, you can achieve this by recursive workflow. But, it has its limitations as well. Take a look on the below interesting post from Collin on Recursive workflows.

Regards,
Uday Kilambi

1 Like

Hi @joyoon00,

I recommend to use GET Access for retriving access and Manage Access with “remove” actions rather than http request.

With that you can manage more access.

1 Like

You might also find this blog post by @sharvari helpful. She demonstrates how to revoke all access for an identity in a workflow.

1 Like

Hi there,

I’ve been using the “GET Access” method to remove access profiles and entitlements successfully. However, I recently came across a discussion on the SailPoint developer forum where Julian Sosa recommended using HTTP methods for the removal process (you can find this discussion here). This advice was part of a broader conversation on managing entitlements with workflows, detailed in another forum post (see this post).

Given this advice, should I continue to use the “GET Access” method for removal, or is it now recommended to switch to HTTP methods for managing these tasks? I’m looking for the best practice in the current context, considering the suggestion from the forum.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.