Old access request cleanup

Identity Security Cloud (ISC) ISC Discussion and Questions
,
1

We would like to run an access request cleanup workflow with some complex logic. How do we do that?

Example:
   If request has been open for more that 30 days,
      if deprovisioning request,
         then change approver to spadmin and auto-approve.
      if provisioning request,
         then change approver to approver's manager and give 7 days to approve.

   If provisioning request has been open for more that 37 days and not approved,
      then change approver to spadmin and auto-revoke.

Auto-revoke should not effect any other part of the request that has been approved.

2

Are you planning to revoke or cancel the old existing request which are not actioned ?

3

use “Access Request Decision” trigger and Manage Access action followed by logic etc

4

hi Chris, some of these use cases can be achieve using OOTB config. You need to update access request config.

I gave a detailed explaination in the below post

Check it out once and see it this can be used for your use case.

5

Yes. We want to revoke or cancel old existing provisioning request that have not been actioned after 37 days.

6

You can import this , update URL , clientID and secret.

{
  "version": 1,
  "self": {
    "type": "WORKFLOW",
    "name": "Vishal -  Expire Pending Access Request Workflow"
  },
  "object": {
    "name": "Vishal -  Expire Pending Access Request Workflow",
    "description": "This Vishal -  Expire Pending Access Request Workflow is used to expire the Access request which is pending on the user queue for more than 37 days .",
    "modifiedBy": {
      "type": "IDENTITY",
      "name": "vishal.kejriwal"
    },
    "definition": {
      "start": "Define Variable",
      "steps": {
        "Define Variable": {
          "actionId": "sp:define-variable",
          "attributes": {
            "id": "sp:define-variable",
            "variables": [
              {
                "description": "",
                "name": "daysToExpire",
                "transforms": [
                  {
                    "id": "sp:transform:subtractTime:time",
                    "input": {
                      "length": 37,
                      "unit": "days"
                    }
                  }
                ],
                "variableA.$": "$.now()"
              },
              {
                "description": "",
                "name": "baseUrl",
                "transforms": [],
                "variableA": "devrel-ga-9748.api.identitynow-demo.com"
              },
              {
                "description": "",
                "name": "clientId",
                "transforms": [],
                "variableA": "XXXXXXXXXXXXXXXX"
              }
            ]
          },
          "displayName": "Set environment parameters",
          "nextStep": "HTTP Request",
          "type": "Mutation"
        },
        "Define Variable 1": {
          "actionId": "sp:define-variable",
          "attributes": {
            "id": "sp:define-variable",
            "variables": [
              {
                "description": "",
                "name": "Error",
                "transforms": [],
                "variableA.$": "$.hTTPRequest.error.workflowErrorMessage"
              }
            ]
          },
          "displayName": "Logging Result",
          "nextStep": "End Step — Success",
          "type": "Mutation"
        },
        "End Step — Success": {
          "actionId": "sp:operator-success",
          "type": "success"
        },
        "HTTP Request": {
          "actionId": "sp:http",
          "attributes": {
            "authenticationType": "OAuth",
            "method": "get",
            "oAuthClientId.$": "$.defineVariable.clientId",
            "oAuthClientSecret": null,
            "oAuthCredentialLocation": "oAuthInHeader",
            "oAuthScope": null,
            "oAuthTokenUrl": "https://{{$.defineVariable.baseUrl}}/oauth/token",
            "url": "https://{{$.defineVariable.baseUrl}}/v2024/access-request-approvals/pending?sorters=created"
          },
          "catch": [
            {
              "next": "Define Variable 1"
            }
          ],
          "displayName": "Get Pending Access Requests",
          "nextStep": "Loop",
          "type": "action",
          "versionNumber": 2
        },
        "Loop": {
          "actionId": "sp:loop:iterator",
          "attributes": {
            "context.$": "$.defineVariable",
            "input.$": "$.hTTPRequest.body",
            "start": "Compare Timestamps",
            "steps": {
              "Compare Timestamps": {
                "actionId": "sp:compare-timestamps",
                "choiceList": [
                  {
                    "comparator": "TimestampLessThanEquals",
                    "nextStep": "Deny Access Request",
                    "variableA.$": "$.loop.loopInput.created",
                    "variableB.$": "$.loop.context.daysToExpire"
                  }
                ],
                "defaultStep": "Define Variable 2",
                "displayName": "",
                "type": "choice"
              },
              "Define Variable 2": {
                "actionId": "sp:define-variable",
                "attributes": {
                  "id": "sp:define-variable",
                  "variables": [
                    {
                      "description": "",
                      "name": "message",
                      "transforms": [],
                      "variableA": "No Expiry"
                    }
                  ]
                },
                "displayName": "Logging Result",
                "nextStep": "End Step - Success",
                "type": "Mutation"
              },
              "Define Variable 3": {
                "actionId": "sp:define-variable",
                "attributes": {
                  "id": "sp:define-variable",
                  "variables": [
                    {
                      "description": "",
                      "name": "error",
                      "transforms": [],
                      "variableA.$": "$.denyAccessRequest.error.workflowErrorMessage"
                    }
                  ]
                },
                "displayName": "Logging Result",
                "nextStep": "End Step - Success",
                "type": "Mutation"
              },
              "Deny Access Request": {
                "actionId": "sp:reject-request",
                "attributes": {
                  "approvalId.$": "$.loop.loopInput.id",
                  "comment": "Triggered by : Vishal - Expire Pending Access Request Workflow\nComments : Approver didn't take any action so request is auto rejected by system."
                },
                "catch": [
                  {
                    "next": "Define Variable 3"
                  }
                ],
                "displayName": "",
                "nextStep": "End Step - Success",
                "type": "action",
                "versionNumber": 1
              },
              "End Step - Success": {
                "actionId": "sp:operator-success",
                "displayName": "",
                "type": "success"
              }
            }
          },
          "description": null,
          "nextStep": "End Step — Success",
          "type": "action",
          "versionNumber": 1
        }
      }
    },
    "enabled": false,
    "creator": {
      "type": "IDENTITY",
      "name": "vishal.kejriwal"
    },
    "owner": {
      "type": "IDENTITY",
      "name": "vishal.kejriwal"
    },
    "trigger": {
      "type": "SCHEDULED",
      "attributes": {
        "cronString": "0 4 * * *",
        "dailyTimes": [
          "1969-12-31T10:00:00Z"
        ],
        "frequency": "daily",
        "id": "idn:cron-schedule",
        "timeZone": "America/Chicago"
      }
    }
  }
}
1 Like
7

Thank you, Vishal. This is what I was looking for.

8

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.