Is it possible to track workflow execution for identities and mark them as "workflow executed"?

Hi All,

We have a use case where we need to track workflow execution for identities and update those for which the execution is completed.

Wanted to understand if anyone had a similar requirement and how did you manage to do it. One way I could think of is to update identity attribute once the workflow execution completes, however I understand there is no way to do update identity attribute via workflows.

Any help would be appreciated.

Thanks,
Shailee

Off the top of my head, one way might be to include a step in the workflow to send an email to yourself or your team to notify you that the workflow has executed for the particular identity.

Yes that’s a viable option, however what we are looking for is to “mark” identities. Based on that, we want to generate a consolidated report via Search

Hmm, maybe you could create an identity attribute and include a step to make an API call with this endpoint:

put-identity-attribute | SailPoint Developer Community

1 Like

@shaileeM One way I can think of is tagging identities. In your workflow, add an HTTP step to make an API call to tag the identity you process with something like ‘WorkflowProcessedUser’. In search, when you use tags to generate a report of users with this tag, you will easily be able to narrow down your targeted list of users.

Here’s the API:

1 Like

Thank you @vkashat and @sushant1 . Let me try out

One consideration with tags I believe there’s a limit of 500 tagged objects in a tenant, so if you anticipate needing more than that it may be a problem

Noted. Perhaps, we can remove tags periodically.

You could also add this as an attribute (workflow executed) to a homebrew Delimited File connector and update the attribute with a REST API call from the workflow. Then check on the execution based on that attribute?

1 Like

I see, good to know. Can you also share documentation for this tagging limitation for future reference in this thread?

Tagged Objects | SailPoint Developer Community

1 Like

Hi @sushant1 , @vkashat ,

Basically, what I am trying is to tag the user first, generate the report and untag the user after the report is generated.

Tagging and removing the tag, both can be done via APIs, so I don’t see any problem here.

Do share your thoughts about this approach.

Regards,
Shailee

That’s a great approach, that way you won’t stay at limit of 500 tags per tenant. For removal, perhaps consider a time-based removal of tags, sometime after your reports are generated. I don’t have the full context of your requirement but see if it works for you.

Just a small addition here based on the documentation shared by @shaileeM :
It says that while you can have up to 500 different tags in your tenant, you can have 10k tagged objects, i.e pairings of 1 tag to 1 object, in your tenant.

That sounds like a good approach! And Sushant’s time-based approach is a good suggestion too.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.