Managing access after an access request decision

I’m attempting to configure a workflow that - after an access request decision completes, will check license availability on a third-party service via an HTTP request, and then, if no licenses are available, revoke the access that was just assigned to the user.

The issue I’m having though is getting the access object after running the getAccess action.
Right now it’s configured like so

"Get Access": {
				"actionId": "sp:access:get",
				"attributes": {
					"accessprofiles": true,
					"entitlements": false,
					"getAccessBy": "specificIdentity",
					"identityToReturn.$": "$.trigger.requestedFor.id",
					"roles": false
				},
				"description": null,
				"displayName": "",
				"nextStep": "Define Variable",
				"type": "action",
				"versionNumber": 1
			}

With the manage access step trying to compare the access that was requested from the trigger to the list of the identity’s access - but I’m not getting any results

"Manage Access": {
				"actionId": "sp:access:manage",
				"attributes": {
					"comments": "insufficient licenses",
					"removeIdentity.$": "$.trigger.requestedFor.id",
					"requestType": "REVOKE_ACCESS",
					"requestedItems.$": "$.getAccess.accessItems[?(@.id == $.trigger.requestedItemsStatus[*].id)]"
				},
				"displayName": "",
				"nextStep": "End Step - Success 1",
				"type": "action",
				"versionNumber": 1
			}

I can’t figure out why this isn’t finding the access object from the getAccess action.
Any help would be greatly appreciated!

I’d thought I’d solved my problem, with the data in my test run looking like this:

{
  "addIdentities": "<no value>",
  "comments": null,
  "removeDuration": null,
  "removeIdentity": "f1b52f80a324488cb4a63721ea0c69b6",
  "requestType": "REVOKE_ACCESS",
  "requestedItems": {
    "id": "500b153e73354270a66b468f79b88524",
    "name": "Pagerduty Dev - OPS",
    "type": "ACCESS_PROFILE"
  }
}

But I’m getting a 400 response when I try to remove the access from the action.

request failed: 400 - 400 Bad Request: (type: HTTP Response Returned a Client Error, retryable: false): request failed: 400 - 400 Bad Request

Hi Connor,

Can you try adding a bracket [ ] for requested items?

{

“comments”: “test”,

“removeIdentity”: “f1b52f80a324488cb4a63721ea0c69b6”,
“requestType”: “REVOKE_ACCESS”,
“requestedItems”: [ {
“id”: “500b153e73354270a66b468f79b88524”,
“name”: “Pagerduty Dev - OPS”,
“type”: “ACCESS_PROFILE”
} ]
}

Regards
Arjun

Hi Arjun, I’m not actually sure how I would do that to be honest
When I try to encapsulate the “access to manage” field in brackets I get the following error.

Hi Connor,

There is a OOTB Workflow template -

“Revoke entitlement Additions detected - as native change account updated” - Look for the “Submit Revocation Request” step. It may help. All the best.

Regards
Arjun

Hi Arjun, first of all I wanted to thank you so much for your help - I’ve made good progress because of it!

The last issue I’m having with this manage access request is that I’m getting a 400 error even when the body is identical to the request format outlined in Sailpoint’s documentation

The documentation points out that the body should be in this format.

{
    "accessItems":[
        {
            "id":"technicalID",
            "name":"accessItemName",
            "type":"accessItemType"
        }
    ]
}

the request body should be something like below

{
  "requestedFor": [
    "8cfe5b64d9974XXXX14dacb024985f"
  ],
  "requestedItems": [
    {
      "id": "d6319162b21cYYYYa1019d95ee491a",
      "type": "ACCESS_PROFILE",
      "comment": "Requesting access profile for Aabha"
    }
  ],
  "requestType": "REVOKE_ACCESS"
}