Hello I am trying to create a workflow that revokes access when provisioning is complete. It was successful when tested (disabled) and passed once when test (enabled). It keeps trying to revoke all access items instead of the initial request access item that finished provisioning how can I resolve this?
Here is the entire workflow in case that helps.
Under Get Access Action you have specified to fetch All Access items of the identity, and under Manage Access configuration you have specified $.getAccess.accesstems which will include all accesses of the identity in Remove Access Action…
Also wondering what is the purpose of this Workflow as you are removing the access items that are just provisioned…
(What am I missing here? 
)
As of right now I am not sure. I am a junior develop then senior developer asked me to create this workflow.
I tried that $.getAccess.accesstems I don’t want to remove all access just the provisioned access that was trigger
As for this specific workflow I am just look for one specific access profile that provisioning is completed and it revoke only the single specific access profile not all the access
So your workflow is working the way expected… is that right? Or was it the only access the identity had?
It keeps failing. Before when I had the $.getAccess.accesstems it worked but it was revoking all identities. How do I get it to only revoke the access profile that’s provisioning is completed.
Though this is the logic for your workflow, I am not sure how effective this whole operation will be as I am not entirely sure about chronology of Provisioning, Single Account Aggregation / Account Aggregation and Deprovisioning - post execution of the workflow
Here is my explanation
If you look at the json sample for Provisioning Completed Trigger in this page you will see it returns the accountRequests details as an Array as shown below:
"accountRequests":[
{
"source":{
"id":"4e4d982dddff4267ab12f0f1e72b5a6d",
"name":"Corporate Active Directory",
"type":"SOURCE"
},
"accountId":"CN=example,ou=sample,ou=test,dc=ex,dc=com",
"accountOperation":"Modify",
"provisioningResult":"SUCCESS",
"provisioningTarget":"Corp AD",
"ticketId":"72619262",
"attributeRequests":[
{
"operation":"Add",
"attributeName":"memberOf",
"attributeValue":"CN=admin,DC=training,DC=com"
}
]
}
]
Here you can see the attributeRequests object lists the accesses provisioned.
Now if you look at the json Sample of get Access Action below (from this page), it has a list of accesses the user has.
{
"accessItems":[
{
"id":"2c9180847fdd00e1017ff5afb9c31f4e",
"name":"CN=AD Access,OU=pod-name,DC=Test",
"type":"entitlement"
},
{
"id":"2c9180867ff523f4017ff5b17ff500af",
"name":"Sales Role",
"type":"role"
},
{
"id":"2c9180887ff4d87e017ff5b1192b010e",
"name":"Access to AD",
"type":"accessprofile"
}
]
}
If you try to relate these 2, you will see that what is specified as attributeValue in the json from Provisioning Trigger corresponds to the name field under accessItems. You should also make sure that the type of the accessItem is entitlement. Once you filter based on this comparison, you should be able to get the id of the accessItem and then remove it by means of Manage Access Action.
Thank you I will try this and check in on the results Monday
I added this to my manage access, and it works. My only issues now is filtering the provisioning trigger for Adding access not removing access
Same provisioning may carry out Add, Set or Remove operations for individual accesses. You can filter the added accesses by checking the value for operation key inside attributeRequests array below
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.