Need Help with Workflow to Remove Access Profile and Entitlement on User Inactivity or Information Change

Identity Security Cloud (ISC) ISC Discussion and Questions
, , ,
1

I want to create a workflow that removes Access Profile and Entitlement when a user becomes inactive or when their information (such as department, position, etc.) changes.

However, the workflow I have created keeps producing errors, and the entitlements are not being deleted. Even when using HTTP instead of Get Access, I encounter errors. I need help with this issue.

스크린샷 2024-06-20 014835
스크린샷 2024-06-20 0148351207×754 61.5 KB

스크린샷 2024-06-20 014841
스크린샷 2024-06-20 0148411222×755 62.8 KB

스크린샷 2024-06-20 014847
스크린샷 2024-06-20 0148471198×748 62.5 KB

스크린샷 2024-06-20 014853
스크린샷 2024-06-20 0148531233×754 63.6 KB

스크린샷 2024-06-20 014900
스크린샷 2024-06-20 0149001214×752 64.6 KB

[Output Log]
{
“loopOutput”: {
“failureItems”: [
{
“errorMessage”: “child workflow execution error (type: sp-child-workflow, workflowID: 84064d3d-01b8-4cb6-b98a-a64467163e39-1, runID: 40ac9832-ea3b-4320-a1fc-164f0d6d2dde, initiatedEventID: 23, startedEventID: 52): task failed: activity error (type: sp:access:manage, scheduledEventID: 5, startedEventID: 6, identity: 8cc10cbc-3219-4120-8731-f8e9f24f45f9): json: cannot unmarshal string into Go struct field ManageAccessInput.requestedItems of type infra.OutputAccessItem (type: Error Parsing Input, retryable: false): json: cannot unmarshal string into Go struct field ManageAccessInput.requestedItems of type infra.OutputAccessItem (type: UnmarshalTypeError, retryable: true) (type: withStack, retryable: true): task failed: activity error (type: sp:access:manage, scheduledEventID: 5, startedEventID: 6, identity: 8cc10cbc-3219-4120-8731-f8e9f24f45f9): json: cannot unmarshal string into Go struct field ManageAccessInput.requestedItems of type infra.OutputAccessItem (type: Error Parsing Input, retryable: false): json: cannot unmarshal string into Go struct field ManageAccessInput.requestedItems of type infra.OutputAccessItem (type: UnmarshalTypeError, retryable: true) (type: ExecutorError, retryable: true): task failed: activity error (type: sp:access:manage, scheduledEventID: 5, startedEventID: 6, identity: 8cc10cbc-3219-4120-8731-f8e9f24f45f9): json: cannot unmarshal string into Go struct field ManageAccessInput.requestedItems of type infra.OutputAccessItem (type: Error Parsing Input, retryable: false): json: cannot unmarshal string into Go struct field ManageAccessInput.requestedItems of type infra.OutputAccessItem (type: UnmarshalTypeError, retryable: true) (type: withStack, retryable: true): task failed: activity error (type: sp:access:manage, scheduledEventID: 5, startedEventID: 6, identity: 8cc10cbc-3219-4120-8731-f8e9f24f45f9): json: cannot unmarshal string into Go struct field ManageAccessInput.requestedItems of type infra.OutputAccessItem (type: Error Parsing Input, retryable: false): json: cannot unmarshal string into Go struct field ManageAccessInput.requestedItems of type infra.OutputAccessItem (type: UnmarshalTypeError, retryable: true) (type: wrapError, retryable: true): activity error (type: sp:access:manage, scheduledEventID: 5, startedEventID: 6, identity: 8cc10cbc-3219-4120-8731-f8e9f24f45f9): json: cannot unmarshal string into Go struct field ManageAccessInput.requestedItems of type infra.OutputAccessItem (type: Error Parsing Input, retryable: false): json: cannot unmarshal string into Go struct field ManageAccessInput.requestedItems of type infra.OutputAccessItem (type: UnmarshalTypeError, retryable: true)”,
“payload”: “”
},

2

Hi @joyoon00 I have problems in the past using the Get Access/Manage Access to perform some action on an identity entitlements.

I could make it work using the HTTP Request in conjuntion with API, here is how I did it, hope it helps:

3

Not only does it fail to “GET ACCESS”, but the HTTP request also returns a 400 error because loop.context.id is either missing or not in the correct format.

image
image1057×758 61.7 KB

image
image1046×756 60.4 KB

image
image1061×755 64.6 KB

4

Can you test what happen if you chante the loop context to $.trigger.identity, and at bottom in the request body, chante the requestedFor value to $.loop.context.id?

5

Here are the test results after changing context to trigger.identity and subsequently updating loop.context.id:

"loopOutput": {
    "failureItems": [
        {
            "errorMessage": "child workflow execution error (type: sp-child-workflow, workflowID: 46eddb77-e2b2-4b94-ae0e-4b2cce512bca-1, runID: aec1227b-dfda-43f7-a42f-04b238fe75f3, initiatedEventID: 17, startedEventID: 25): task failed: activity error (type: sp:external:http:v2, scheduledEventID: 5, startedEventID: 6, identity: 8cc10cbc-3219-4120-8731-f8e9f24f45f9): request failed (type: HTTP Response Returned a Client Error, retryable: false): request failed: 400 - 400 Bad Request - {\"detailCode\":\"400.1 Bad request content\",\"trackingId\":\"88f619ab011b4749b24d77d754500564\",\"messages\":[{\"locale\":\"und\",\"localeOrigin\":\"REQUEST\",\"text\":\"The following access item(s) cannot be revoked from identity (\\\"5f6c6ed1f4594672b73af5f9094f8d91\\\"): 19caf7e2bdd849e3bf23f61a121827da. \"},{\"locale\":\"en-US\",\"localeOrigin\":\"DEFAULT\",\"text\":\"The following access item(s) cannot be revoked from identity (\\\"5f6c6ed1f4594672b73af5f9094f8d91\\\"): 19caf7e2bdd849e3bf23f61a121827da. \"}],\"causes\":[]} (type: withStack, retryable: true): task failed: activity error (type: sp:external:http:v2, scheduledEventID: 5, startedEventID: 6, identity: 8cc10cbc-3219-4120-8731-f8e9f24f45f9): request failed (type: HTTP Response Returned a Client Error, retryable: false): request failed: 400 - 400 Bad Request - {\"detailCode\":\"400.1 Bad request content\",\"trackingId\":\"88f619ab011b4749b24d77d754500564\",\"messages\":[{\"locale\":\"und\",\"localeOrigin\":\"REQUEST\",\"text\":\"The following access item(s) cannot be revoked from identity (\\\"5f6c6ed1f4594672b73af5f9094f8d91\\\"): 19caf7e2bdd849e3bf23f61a121827da. \"},{\"locale\":\"en-US\",\"localeOrigin\":\"DEFAULT\",\"text\":\"The following access item(s) cannot be revoked from identity (\\\"5f6c6ed1f4594672b73af5f9094f8d91\\\"): 19caf7e2bdd849e3bf23f61a121827da. \"}],\"causes\":[]} (type: HTTPError, retryable: true)",
            "payload": ""
        },
6

Can you use this:
Loop Context - $.trigger.identity

HTTP -
Request URL - https://{{TENANT}}.api.identitynow.com/v3/access-requests
Request Body
{
“requestType”: “REVOKE_ACCESS”,
“requestedFor”: [
“{{$.loop.context.id}}”
],
“requestedItems”: [
{
“comment”: “Remove Access”,
“id”: “{{$.loop.loopInput.id}}”,
“name”: “{{$.loop.loopInput.name}}”,
“type”: “{{$.loop.loopInput.type}}”
}
]
}

1 Like
7

Why dont you use this combination to remove access instead of looping, this eliminates the need for looping and will ensure all your accesses are removed as per your need, just make sure to insert a WAIT in WF before this steps to ensure all automated removals triggered due to LCS or criteria based roles are cleared before we hit a GET ACCESS call.
image

1 Like
8

@jeongkwang-yoon are there any access profile you are trying to remove, that is granted by role? Was this granted with some automated assignment condition to role?

9

hi @joyoon00 ,

I am not sure if you got a chance to check this. This was helpful to me in one of the use case and I think this might help you as well. Though you might have to twick the workflow to match your use case.

Thanks,
Uday

10

Hi @joyoon00 ,

You do not need to use loop over here. You can immediately call “Manage Access” right after “Get Access” if you wanted to remove all the access profiles as part of leaver inactivity with the below input condition for requestedItems of Manage Access step.

$.getAccess.accessItems[?(@.type == “ACCESS_PROFILE”)]

Regards,
Uday Kilambi

12

I found that using this feature only allows me to delete one item at a time.
Therefore, I used a loop to remove all permissions.

13

I was already using it this way :smiling_face_with_tear:

14

The role I want to remove is not the automatically assigned one, but the All Role, Access Profile, Entitlement.that was granted upon request approval.

15

I found that using this feature only allows me to delete one item at a time.
Therefore, I used a loop to remove all permissions. :smiling_face_with_tear:

16

Here, under Manage Access > Access to Manage, you have “Enter Value” for input type. Change this to “Choose variable” and try again.

Enter Value expects a velocity template where as you need to select “Choose Variable” if you are passing a variable from another operation

17

I encountered the following error when I tried it this way:

{
    "errorMessage": "child workflow execution error (type: sp-child-workflow, workflowID: 10dbbac0-944b-4940-bd63-67fb5ff50061-11, runID: b1b3303c-902e-4118-a03b-ee4a2aeb002e, initiatedEventID: 27, startedEventID: 47): task failed: activity error (type: sp:access:manage, scheduledEventID: 5, startedEventID: 6, identity: 9dce3753-94b9-4f50-b369-3fc1dab5bcee): json: cannot unmarshal string into Go struct field ManageAccessInput.requestedItems of type []infra.OutputAccessItem (type: Error Parsing Input, retryable: false): json: cannot unmarshal string into Go struct field ManageAccessInput.requestedItems of type []infra.OutputAccessItem (type: UnmarshalTypeError, retryable: true) (type: withStack, retryable: true): task failed: activity error (type: sp:access:manage, scheduledEventID: 5, startedEventID: 6, identity: 9dce3753-94b9-4f50-b369-3fc1dab5bcee): json: cannot unmarshal string into Go struct field ManageAccessInput.requestedItems of type []infra.OutputAccessItem (type: Error Parsing Input, retryable: false): json: cannot unmarshal string into Go struct field ManageAccessInput.requestedItems of type []infra.OutputAccessItem (type: UnmarshalTypeError, retryable: true) (type: ExecutorError, retryable: true): task failed: activity error (type: sp:access:manage, scheduledEventID: 5, startedEventID: 6, identity: 9dce3753-94b9-4f50-b369-3fc1dab5bcee): json: cannot unmarshal string into Go struct field ManageAccessInput.requestedItems of type []infra.OutputAccessItem (type: Error Parsing Input, retryable: false): json: cannot unmarshal string into Go struct field ManageAccessInput.requestedItems of type []infra.OutputAccessItem (type: UnmarshalTypeError, retryable: true) (type: withStack, retryable: true): task failed: activity error (type: sp:access:manage, scheduledEventID: 5, startedEventID: 6, identity: 9dce3753-94b9-4f50-b369-3fc1dab5bcee): json: cannot unmarshal string into Go struct field ManageAccessInput.requestedItems of type []infra.OutputAccessItem (type: Error Parsing Input, retryable: false): json: cannot unmarshal string into Go struct field ManageAccessInput.requestedItems of type []infra.OutputAccessItem (type: UnmarshalTypeError, retryable: true) (type: wrapError, retryable: true): activity error (type: sp:access:manage, scheduledEventID: 5, startedEventID: 6, identity: 9dce3753-94b9-4f50-b369-3fc1dab5bcee): json: cannot unmarshal string into Go struct field ManageAccessInput.requestedItems of type []infra.OutputAccessItem (type: Error Parsing Input, retryable: false): json: cannot unmarshal string into Go struct field ManageAccessInput.requestedItems of type []infra.OutputAccessItem (type: UnmarshalTypeError, retryable: true)",
    "payload": ""
  }
18

Hi Jeongon,

Did you end up figuring this out? I am also running into issues with using the Manage Access workflow step, in particular when I try to remove different types of access at once (like roles and entitlements).

19

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.