LifeCycleState Change Workflow

mpotti · April 16, 2024, 1:17pm

I am working on building a workflow that when an account moves to an inactive life cycle state that the api call is made to remove ISC roles for Helpdesk and Report Admin. I am trying to validate that the new value on the event call is inactive. When I try the below filtering I am always following the true statement and sending the api call. I am not sure what I am doing wrong with trying to compare the string values.

{
    "id": "acb3eb79-0b4a-4232-b194-20dcd10a1e52",
    "name": "Disable - TSC Access",
    "description": "When a user moves to an inactive LCS remove Helpdesk and Reporting Admin roles for the account.",
    "created": "2024-04-16T11:22:35.070844688Z",
    "modified": "2024-04-16T12:56:27.909543041Z",
    "modifiedBy": {
        "type": "IDENTITY",
        "id": "REMOVED",
        "name": "REMOVED"
    },
    "definition": {
        "start": "Compare Strings",
        "steps": {
            "Compare Strings": {
                "choiceList": [
                    {
                        "comparator": "StringEquals",
                        "nextStep": "HTTP Request",
                        "variableA.$": "$.trigger.changes",
                        "variableB.$": "$.trigger.changes[?(@.newValue == \"inactive\")]"
                    }
                ],
                "defaultStep": "End Step - Success 1",
                "displayName": "",
                "type": "choice"
            },
            "End Step - Success 1": {
                "displayName": "",
                "type": "success"
            },
            "HTTP Request": {
                "actionId": "sp:http",
                "attributes": {
                    "authenticationType": "OAuth",
                    "jsonRequestBody": [
                        {
                            "op": "remove",
                            "path": "/capabilities",
                            "value": [
                                "REPORT_ADMIN",
                                "HELPDESK"
                            ]
                        }
                    ],
                    "method": "patch",
                    "oAuthClientId": "REMOVED",
                    "oAuthClientSecret": "REMOVED",
                    "oAuthCredentialLocation": "oAuthInHeader",
                    "oAuthScope": null,
                    "oAuthTokenUrl": "REMOVED/oauth/token",
                    "requestContentType": "json",
                    "requestHeaders": {
                        "Accept": "application/json",
                        "Content-Type": "application/json-patch+json"
                    },
                    "url": "REMOVED/v3/auth_users/{{$.trigger.identity.id}}"
                },
                "description": null,
                "displayName": "",
                "nextStep": "End Step - Success 1",
                "type": "action",
                "versionNumber": 2
            }
        }
    },
    "enabled": false,
    "executionCount": 0,
    "failureCount": 0,
    "creator": {
        "type": "IDENTITY",
        "id": "REMOVED",
        "name": "REMOVED"
    },
    "owner": {
        "type": "IDENTITY",
        "id": "REMOVED",
        "name": "REMOVED"
    },
    "trigger": {
        "type": "EVENT",
        "attributes": {
            "attributeToFilter": "cloudLifecycleState",
            "filter.$": "$.changes[?(@.attribute == \"cloudLifecycleState\")]",
            "id": "idn:identity-attributes-changed"
        }
    }
}

TEST PAYLOAD TRUE:

{
  "identity": {
    "type": "IDENTITY",
    "id": "6928225c4a8f4688a145ad5a1e77ee0a",
    "name": "A Meyer, Cody"
  },
  "changes": [
    {
      "attribute": "cloudLifecycleState",
      "oldValue": "active",
      "newValue": "inactive"
    }
  ]
}

TEST PAYLOAD FALSE:

{
  "identity": {
    "type": "IDENTITY",
    "id": "6928225c4a8f4688a145ad5a1e77ee0a",
    "name": "A Meyer, Cody"
  },
  "changes": [
    {
      "attribute": "cloudLifecycleState",
      "oldValue": "inactive",
      "newValue": "active"
    }
  ]
}

iamology · April 16, 2024, 1:29pm

try after changing above to

"variableA.$": "$.trigger.changes[?(@.attribute == \"cloudLifecycleState\")].newValue",
"variableB.$": "inactive"

mpotti · April 16, 2024, 1:51pm

I am getting an error message when I updated with your suggestion.

"definition": {
        "start": "Compare Strings",
        "steps": {
            "Compare Strings": {
                "choiceList": [
                    {
                        "comparator": "StringEquals",
                        "nextStep": "HTTP Request",
                        "variableA.$": "$.trigger.changes[?(@.attribute == \\\"cloudLifecycleState\\\")].newValue",
                        "variableB.$": "inactive"
                    }
                ],
                "defaultStep": "End Step - Success 1",
                "displayName": "",
                "type": "choice"
            },

iamology · April 16, 2024, 1:53pm

I guess this is the issue. It’s got to be \"cloudLifecycleState\" in json. You can use the Workflow builder to fix this instead of json file

mpotti · April 16, 2024, 3:58pm

Still the same error message.

iamology · April 16, 2024, 4:06pm

I suggest create a new temporary workflow to just this test part. I have seen multiple times such errors while testing the workflows and simply recreating the workflow eliminated the error

mpotti · April 16, 2024, 4:13pm

{
  "identity": {
    "type": "IDENTITY",
    "id": "6928225c4a8f4688a145ad5a1e77ee0a",
    "name": "A Meyer, Cody"
  },
  "changes": [
    {
      "attribute": "cloudLifecycleState",
      "oldValue": "active",
      "newValue": "inactive"
    }
  ]
}

iamology · April 16, 2024, 4:48pm

please share your json file for this test workflow. This is very strange. I tested the workflow several times and it worked every time

mpotti · April 16, 2024, 4:56pm

{
    "id": "65efd1fa-16a2-4f47-a7f0-51bf20191f3d",
    "name": "Test Remove IDN from TSC",
    "description": "Remove Helpdesk and Report_Admin from inactive TSC users",
    "created": "2024-04-16T16:07:48.505557596Z",
    "modified": "2024-04-16T16:27:27.230497011Z",
    "modifiedBy": {
        "type": "IDENTITY",
        "id": "REMOVED",
        "name": "REMOVED"
    },
    "definition": {
        "start": "Compare Strings",
        "steps": {
            "Compare Strings": {
                "choiceList": [
                    {
                        "comparator": "StringEquals",
                        "nextStep": "End Step - Success",
                        "variableA.$": "$.trigger.changes[?(@.attribute == \"cloudLifecycleState\")].newValue",
                        "variableB": "inactive"
                    }
                ],
                "defaultStep": "End Step - Success",
                "displayName": "",
                "type": "choice"
            },
            "End Step - Success": {
                "displayName": "",
                "type": "success"
            }
        }
    },
    "enabled": false,
    "executionCount": 0,
    "failureCount": 0,
    "creator": {
        "type": "IDENTITY",
        "id": "REMOVED",
        "name": "REMOVED"
    },
    "owner": {
        "type": "IDENTITY",
        "id": "REMOVED",
        "name": "REMOVED"
    },
    "trigger": {
        "type": "EVENT",
        "attributes": {
            "attributeToFilter": "cloudLifecycleState",
            "filter.$": "$.changes[?(@.attribute == \"cloudLifecycleState\")]",
            "id": "idn:identity-attributes-changed"
        }
    }
}

iamology · April 16, 2024, 6:13pm

This is blowing my mind. I added another CompareStrings to your workflow with same conditions (just copied and pasted) and it returns true while the original CompareStrings returns false!!!

mpotti · April 16, 2024, 6:47pm

I opened CS0284934 with support on this. I will keep this updated with what support comes back with.

jesvin90 · April 17, 2024, 7:49am

Hi @mpotti,

I tested it out in my tenant and the 3 step workflow (Identity Attributes Changed - Compare Strings - End) Test gave me incorrect outputs.

But after I added an extra HTTP action, it gave me correct output

FALSE Case

TRUE Case

Also, if the test still doe not work out, try doing an actual test by making a user status active/inactive to see if the WF behaves correctly. I have seen the test following the wrong paths, but the actual Identity changes taking the correct path in the WF’s.

Here is the WF JSON I used. Try uploading this directly as well as creating manually to see if it gives different results.

TestRemoveIDNfromTSC20240417.json (1.3 KB)

mpotti · April 23, 2024, 5:25pm

Thank you everyone for the help with issue. Here is my final workflow that is working as I would expect it to be.

{
    "id": "REMOVED",
    "name": "Disable - TSC Access",
    "description": "When a user moves to an inactive LCS remove Helpdesk and Reporting Admin roles for the account.",
    "created": "2024-04-16T11:22:35.070844688Z",
    "modified": "2024-04-23T17:21:43.488486322Z",
    "modifiedBy": {
        "type": "IDENTITY",
        "id": "REMOVED",
        "name": "REMOVED"
    },
    "definition": {
        "start": "Compare Strings",
        "steps": {
            "Compare Strings": {
                "choiceList": [
                    {
                        "comparator": "StringEquals",
                        "nextStep": "HTTP Request 1",
                        "variableA.$": "$.trigger.changes[?(@.attribute == \"cloudLifecycleState\")].newValue",
                        "variableB": "inactive"
                    }
                ],
                "defaultStep": "End Step - Success 1",
                "displayName": "",
                "type": "choice"
            },
            "End Step - Success 1": {
                "displayName": "",
                "type": "success"
            },
            "HTTP Request": {
                "actionId": "sp:http",
                "attributes": {
                    "authenticationType": "OAuth",
                    "jsonPatchRequestBody": [
                        {
                            "op": "remove",
                            "path": "/capabilities",
                            "value": [
                                "REPORT_ADMIN",
                                "HELPDESK"
                            ]
                        }
                    ],
                    "jsonRequestBody": [
                        {
                            "op": "remove",
                            "path": "/capabilities",
                            "value": [
                                "REPORT_ADMIN",
                                "HELPDESK"
                            ]
                        }
                    ],
                    "method": "patch",
                    "oAuthClientId": "REMOVED",
                    "oAuthClientSecret": "REMOVED",
                    "oAuthCredentialLocation": "oAuthInHeader",
                    "oAuthScope": null,
                    "oAuthTokenUrl": "https://REMOVED.api.identitynow.com/oauth/token",
                    "requestContentType": "json-patch+json",
                    "requestHeaders": null,
                    "url": "https://REMOVED.api.identitynow.com/v3/auth-users/{{$.trigger.identity.id}}"
                },
                "description": null,
                "displayName": "",
                "nextStep": "End Step - Success 1",
                "type": "action",
                "versionNumber": 2
            },
            "HTTP Request 1": {
                "actionId": "sp:http",
                "attributes": {
                    "authenticationType": "OAuth",
                    "jsonRequestBody": null,
                    "method": "get",
                    "oAuthClientId": "REMOVED",
                    "oAuthClientSecret": "REMOVED",
                    "oAuthCredentialLocation": "oAuthInHeader",
                    "oAuthScope": null,
                    "oAuthTokenUrl": "https://REMOVED.api.identitynow.com/oauth/token",
                    "requestContentType": "json",
                    "requestHeaders": null,
                    "url": "https://REMOVED.api.identitynow.com/v3/auth-users/{{$.trigger.identity.id}}"
                },
                "description": null,
                "displayName": "",
                "nextStep": "Verify Data Type",
                "type": "action",
                "versionNumber": 2
            },
            "Verify Data Type": {
                "choiceList": [
                    {
                        "comparator": "IsNull",
                        "nextStep": "End Step - Success 1",
                        "variableA.$": "$.hTTPRequest1.body.capabilities"
                    }
                ],
                "defaultStep": "HTTP Request",
                "displayName": "",
                "type": "choice"
            }
        }
    },
    "enabled": true,
    "executionCount": 0,
    "failureCount": 0,
    "creator": {
        "type": "IDENTITY",
        "id": "REMOVED",
        "name": "REMOVED"
    },
    "owner": {
        "type": "IDENTITY",
        "id": "REMOVED",
        "name": "REMOVED"
    },
    "trigger": {
        "type": "EVENT",
        "attributes": {
            "attributeToFilter": "cloudLifecycleState",
            "filter.$": "$.changes[?(@.attribute == \"cloudLifecycleState\")]",
            "id": "idn:identity-attributes-changed"
        }
    }
}

Topic		Replies	Views
Creating a workflow to check for changes made to the lifecyclestate ISC Discussion and Questions identity-security-cloud	3	209	March 3, 2024
Identity Values Not Populating in Workflow ISC Discussion and Questions workflows , identity-security-cloud	3	77	April 25, 2024
Workflow - Loop Input Filter ISC Discussion and Questions workflows , identity-security-cloud	6	189	March 20, 2024
Identity Attribute Changed Trigger JSONpath to check if multiple attributes have changed ISC Discussion and Questions workflows , identity-security-cloud	5	268	January 13, 2024
Fetching account details in Workflow ISC Discussion and Questions workflows , identity-security-cloud	2	42	April 29, 2024

LifeCycleState Change Workflow

Related Topics