Old access request cleanup

We would like to run an access request cleanup workflow with some complex logic. How do we do that?

Example:
   If request has been open for more that 30 days,
      if deprovisioning request,
         then change approver to spadmin and auto-approve.
      if provisioning request,
         then change approver to approver's manager and give 7 days to approve.

   If provisioning request has been open for more that 37 days and not approved,
      then change approver to spadmin and auto-revoke.

Auto-revoke should not effect any other part of the request that has been approved.

Are you planning to revoke or cancel the old existing request which are not actioned ?

use “Access Request Decision” trigger and Manage Access action followed by logic etc

hi Chris, some of these use cases can be achieve using OOTB config. You need to update access request config.

I gave a detailed explaination in the below post

Check it out once and see it this can be used for your use case.

Yes. We want to revoke or cancel old existing provisioning request that have not been actioned after 37 days.

You can import this , update URL , clientID and secret.

{
  "version": 1,
  "self": {
    "type": "WORKFLOW",
    "name": "Vishal -  Expire Pending Access Request Workflow"
  },
  "object": {
    "name": "Vishal -  Expire Pending Access Request Workflow",
    "description": "This Vishal -  Expire Pending Access Request Workflow is used to expire the Access request which is pending on the user queue for more than 37 days .",
    "modifiedBy": {
      "type": "IDENTITY",
      "name": "vishal.kejriwal"
    },
    "definition": {
      "start": "Define Variable",
      "steps": {
        "Define Variable": {
          "actionId": "sp:define-variable",
          "attributes": {
            "id": "sp:define-variable",
            "variables": [
              {
                "description": "",
                "name": "daysToExpire",
                "transforms": [
                  {
                    "id": "sp:transform:subtractTime:time",
                    "input": {
                      "length": 37,
                      "unit": "days"
                    }
                  }
                ],
                "variableA.$": "$.now()"
              },
              {
                "description": "",
                "name": "baseUrl",
                "transforms": [],
                "variableA": "devrel-ga-9748.api.identitynow-demo.com"
              },
              {
                "description": "",
                "name": "clientId",
                "transforms": [],
                "variableA": "XXXXXXXXXXXXXXXX"
              }
            ]
          },
          "displayName": "Set environment parameters",
          "nextStep": "HTTP Request",
          "type": "Mutation"
        },
        "Define Variable 1": {
          "actionId": "sp:define-variable",
          "attributes": {
            "id": "sp:define-variable",
            "variables": [
              {
                "description": "",
                "name": "Error",
                "transforms": [],
                "variableA.$": "$.hTTPRequest.error.workflowErrorMessage"
              }
            ]
          },
          "displayName": "Logging Result",
          "nextStep": "End Step — Success",
          "type": "Mutation"
        },
        "End Step — Success": {
          "actionId": "sp:operator-success",
          "type": "success"
        },
        "HTTP Request": {
          "actionId": "sp:http",
          "attributes": {
            "authenticationType": "OAuth",
            "method": "get",
            "oAuthClientId.$": "$.defineVariable.clientId",
            "oAuthClientSecret": null,
            "oAuthCredentialLocation": "oAuthInHeader",
            "oAuthScope": null,
            "oAuthTokenUrl": "https://{{$.defineVariable.baseUrl}}/oauth/token",
            "url": "https://{{$.defineVariable.baseUrl}}/v2024/access-request-approvals/pending?sorters=created"
          },
          "catch": [
            {
              "next": "Define Variable 1"
            }
          ],
          "displayName": "Get Pending Access Requests",
          "nextStep": "Loop",
          "type": "action",
          "versionNumber": 2
        },
        "Loop": {
          "actionId": "sp:loop:iterator",
          "attributes": {
            "context.$": "$.defineVariable",
            "input.$": "$.hTTPRequest.body",
            "start": "Compare Timestamps",
            "steps": {
              "Compare Timestamps": {
                "actionId": "sp:compare-timestamps",
                "choiceList": [
                  {
                    "comparator": "TimestampLessThanEquals",
                    "nextStep": "Deny Access Request",
                    "variableA.$": "$.loop.loopInput.created",
                    "variableB.$": "$.loop.context.daysToExpire"
                  }
                ],
                "defaultStep": "Define Variable 2",
                "displayName": "",
                "type": "choice"
              },
              "Define Variable 2": {
                "actionId": "sp:define-variable",
                "attributes": {
                  "id": "sp:define-variable",
                  "variables": [
                    {
                      "description": "",
                      "name": "message",
                      "transforms": [],
                      "variableA": "No Expiry"
                    }
                  ]
                },
                "displayName": "Logging Result",
                "nextStep": "End Step - Success",
                "type": "Mutation"
              },
              "Define Variable 3": {
                "actionId": "sp:define-variable",
                "attributes": {
                  "id": "sp:define-variable",
                  "variables": [
                    {
                      "description": "",
                      "name": "error",
                      "transforms": [],
                      "variableA.$": "$.denyAccessRequest.error.workflowErrorMessage"
                    }
                  ]
                },
                "displayName": "Logging Result",
                "nextStep": "End Step - Success",
                "type": "Mutation"
              },
              "Deny Access Request": {
                "actionId": "sp:reject-request",
                "attributes": {
                  "approvalId.$": "$.loop.loopInput.id",
                  "comment": "Triggered by : Vishal - Expire Pending Access Request Workflow\nComments : Approver didn't take any action so request is auto rejected by system."
                },
                "catch": [
                  {
                    "next": "Define Variable 3"
                  }
                ],
                "displayName": "",
                "nextStep": "End Step - Success",
                "type": "action",
                "versionNumber": 1
              },
              "End Step - Success": {
                "actionId": "sp:operator-success",
                "displayName": "",
                "type": "success"
              }
            }
          },
          "description": null,
          "nextStep": "End Step — Success",
          "type": "action",
          "versionNumber": 1
        }
      }
    },
    "enabled": false,
    "creator": {
      "type": "IDENTITY",
      "name": "vishal.kejriwal"
    },
    "owner": {
      "type": "IDENTITY",
      "name": "vishal.kejriwal"
    },
    "trigger": {
      "type": "SCHEDULED",
      "attributes": {
        "cronString": "0 4 * * *",
        "dailyTimes": [
          "1969-12-31T10:00:00Z"
        ],
        "frequency": "daily",
        "id": "idn:cron-schedule",
        "timeZone": "America/Chicago"
      }
    }
  }
}

1 Like

Thank you, Vishal. This is what I was looking for.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.