I am building a Workflow where I need to Revoke and Grant two different access entitlements. I am using the same construct for both and relying on the same getIdentity parameter.
Problem:
When granting access, using getidentity.id works correctly.
When revoking access, the operation does not execute as expected.
Additional context:
In another Workflow, similar logic works correctly for revocation.
I’ve double-checked that the same parameter (getidentity.id) is used in both cases.
Hi @maksimkapustin Welcome to the SailPoint Developer Community!
Regarding the entitlement(s) that is still failing to be revoked, did you check this might have been granted via birth right access i.e a dynamic role or access profile having this entitlement or the entitlement itself tied to a role and the user is a member of that role, in which case this would fail?
The basic rules of ISC access management still apply i.e only requested roles (not auto-assigned ones) and entitlements that exist outside of roles and access profiles will be revocable.
piggybacking on what Noor mentioned. an other way is to check if the entitlement assignment is revocable. navigate to Admin→Access Model→Entitlement→ search for the entitlement and select it→select on identities on the left hand side→click “View Assignment“ for the identity in context. in the assignment section you will see “Revocable“: YES or NO. if its NO, you cannot directly revoke as it was assigned to the identity by an other access item like Role or Access Profile. you might want to the get the identities list of entitlements and check if the entitlement assignment data and perform revoke action based on its value.
Looking at your screenshots, I assume you are trying to revoke if a role or AP granted partial access and failed for other due to other issue, in that case you may want to revoke the role/AP if the the access is not not needed any more but more information what you end goal is will be helpful.
@nhassan@lampard08
Thanks a lot for the clarification. You’re absolutely right — the entitlement was granted as part of the role.
I believe we can consider this topic resolved.
