We would like to implement a Compare String operator on the “Revoke Entitlement Additions Detected as Native Change Account Updated”. When a certain group/groups are added directly in the application we would like the workflow to leave the access and not remove it. Howerver if the group is not in the compare list it should go ahead and remove it.
What I have been able to do is create the Compare Srings operator and have it look at the first group in the EntitlementChanges section and if it matches it wont revoke the access.
So 2 issues:
You might have an array list of access being removed that you need to loop through.
You might have multiple groups that you dont want access to be removed from even if it was added directly in the application.
As far as I know this will be difficult to achieve via workflow as you have to use 2 parallel iteration, 1 on removed entitlements detected by NCD and other allowed entitlement list to choose from to take necessary action (remove or keep access). You can’t use 2 loop operation at the same time. Suggestion : Explore event trigger feature
Another bad approach will be to trigger remove operation for all NCD detected entitlements and then handle any additional logic on before provisioning rule by updating the provisioning plan.
