It’s not readily apparent from the UI, but you cannot revoke entitlements at this time. The underlying API that supports the Manage Access action currently has this limitation as well.
The Manage Access will eventually support entitlement revocation, but I don’t have a clear timeline on when that will be.
Agreed. This should work, but the Manage Access action is sending a bad payload to the API. Have you created a support ticket yet? That’s the best way to get this to engineering. You’ll want to link to this conversation in your ticket as well as provide details about your workflow, the inputs, and the outputs.
“Manage Access” is working fine. We have issue with “Request Access Removal”. Sure I will raise a support ticket for this and link this conversation.
“Request Access Removal” is going to be phased out in favor of “Manage Access”. Please try to use “Manage Access” first to see if that fixes your problem.
Does the identity currently have both roles? There is a quirk with the access request API, which Manage Access is based on, where it will fail if you attempt to revoke a role that doesn’t exist on the identity.
I’m out of ideas at this point. There might be some other configuration in your tenant that is preventing this from working. Have you opened a support ticket yet?
Please make sure these are not birthright roles. If they are assigned based on membership criteria and user is still satisfying the membership then we cannot remove such roles from workflow.
In my case, input JSON looks different (doesn’t have “access items” in it) -
I will definitely raise this with SP Support team, but just curious if this is happening only with me or some role misconfig or expected behavior with Manage Access step for Remove action?
Would appreciate if it’s possible for you to run a test and share how’s it looking at your side?
TIA!
I don’t think it has to do with the workflow config. The error suggests that the payload is being sent correctly from the workflow, but IdentityNow can’t process the request because one of those roles can’t be removed for some reason. Try running the submit access request API endpoint to revoke those roles and see what you get. Maybe you can narrow it down to a single role that is causing the issue.