Hi,
We are using SailPoint IdentityNow and SailPoint Professional services implemented the project for us. When we are offboarding users, email communication is sent only to birthright provisioned application owner and not all. How can we send communications to all applications owners of all applications user is having?
Hi,
Can you elaborate on requirement?
You need to send email when account is created in the application. Is it?
-Abhinov
Hi @jkalle - You can look at using the OOB workflow " Leaver Workflow" and can extend it to fetch all the apps that are tagged to user and pull the owners to send an email.
Regards,
Adi
Hi @AdisharmaOz, Any pointers as tow how to fetch all the entitlements related to apps and send email to the application owners?
Thanks
JK
Hi @Abhinov7,
My requirement is simple. When user gets offboarded, we have to send emails to all the applications owners to de-provision them on the application side. As we are new to SailPoint finding it difficult to fetch the data and send using Workflows. Any pointers as tow how to fetch all the entitlements related to apps and send email to the application owners?
Thanks
JK
Hi @jkalle ,
You can design your workflow with something like below:
Step1: Trigger - Identity Attributes Changed . You can use filter (Advanced) as $.changes[?(@.attribute == "cloudLifecycleState")]
Step 2: Compare String operator to check if the new cloudLifecycleState value is Inactive (or equivalent of your offboarding LCS) e.g. compare $.trigger.changes[?(@.attribute == "cloudLifecycleState")].newValue with Inactive
Step 3: For Compare String True flow, Get Accounts by Identity based on $.trigger.identity.id
Step 4: Use a Loop with Loop Input as $.getAccounts.accounts and Loop context as $
Step 5: Within the loop, fetch the app access items and store them in variable using Define Variable
Step 6: Send Email to the app owner using variable fetched in the Step 5.
Hope this gives you a start to design the workflow.
Thanks,
Shailee
Hi @jkalle - As mentioned in my previous comment, try using the OOB workflow “Leave Workflow” -
Regards,
Adi
Hi Shailee,
This is Vijitha. Me and @jkalle are in same team. I tried following the steps you provided. In the Step 5, Inside the loop, I used “Get access” action. In the selection method, I used “By identity Id” and chose “Get entitlements”
Actually , We are trying to fetch the entitlement name and value from the specific source (Active directory) for the identity from the below screenshot and trying to send email to the app owner of that entitlement
Hi @Vijitha,
Refer this discussion - Workflow - Remove Entitlements from selected source - #2 by sharvari
This might help.
You may need to use a different path, such as $.getAccess.accessItems[*].value, which retrieves all entitlement values as an array. Also add the filter to fetch entitlements from a particular source.
Hi @Vijitha,
You are trying to call a variable ($.trigger.identity.id) inside the loop that is defined outside the loop, which is not allowed.
You can define a Get Identity action outside the loop and then use the Get Identity variable as the $.loop.context to be called inside the Get Access operator (inside the loop).
Take a look at the Loop operator documentation for more info.
You can also take a look at the discussion shared by @vinnysail for more details.
Hi @Vijitha ,
I agree with Jevin, you will need to change the $.trigger.identity.id in the Get Access Identity filter step to use loop context. It should be like - $.loop.context.trigger.identity.id if you have defined the loop context as $
Hi Vinod,
Sorry for the late response. Thank you very much @vinnysail for referring (Workflow - Remove Entitlements from selected source). We implemented this in our environment, and it totally meets the expectation of our requirement, and this is working in our PROD environment successfully now. My biggest thanks to everyone @shaileeM @jesvin90 @Abhinov @AdisharmaOz @jkalle here in this post for suggesting different ideas which led to a solution.
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.
