I am trying to build a simple workflow to remove access upon changing of identity attributes. But I am getting strange error.
Below are the screenshots of my workflow. Can someone please let me know what I am doing wrong.
Thanks in advance,
It’s not readily apparent from the UI, but you cannot revoke entitlements at this time. The underlying API that supports the Manage Access action currently has this limitation as well.
The Manage Access will eventually support entitlement revocation, but I don’t have a clear timeline on when that will be.
Thank you for the quick response. I tried to revoke only roles and I still have same error.
Can you please let me know if we can remove roles only?
Yes, you should be able to remove roles. Are you able to share the details of your failed workflow?
Below is the error.
In previous step you can see I only added to remove roles.
There is only one role for this user and its granted by request but I am getting error while revoking.
Can you please let me know what I am doing wrong here?
Below is the final response.
Can you try something? In
Request Access Removal, select the identity from the dropdown rather than choosing from a variable. See if that works.
I selected the identity and still same issue.
I tried to remove the access using “Manage access” => “Remove access” instead of “Request access removal” workflow. Its working fine.
I think there is some issue with “Request access removal”.
Agreed. This should work, but the Manage Access action is sending a bad payload to the API. Have you created a support ticket yet? That’s the best way to get this to engineering. You’ll want to link to this conversation in your ticket as well as provide details about your workflow, the inputs, and the outputs.
“Manage Access” is working fine. We have issue with “Request Access Removal”. Sure I will raise a support ticket for this and link this conversation.
“Request Access Removal” is going to be phased out in favor of “Manage Access”. Please try to use “Manage Access” first to see if that fixes your problem.
I’m experiencing kind of same issue with “Manage Access” for Remove Access scenario.
Get Access (only fetching roles):
Manage Access (Remove Access):
Once I run the workflow, I am getting the below error on “Manage Access” step -
Am I missing something?
Appreciate your help, thanks!
Does the identity currently have both roles? There is a quirk with the access request API, which Manage Access is based on, where it will fail if you attempt to revoke a role that doesn’t exist on the identity.
Yes, both the roles are assigned to the user. I’m fetching roles in the workflow step “Get Access” just before “Manage Access”.
How are the roles configured? Do they allow access requests?
Yes, access requests are already enabled for those 2 roles.
Just curious if you have tried the same and how’s it working on your side?
I’m out of ideas at this point. There might be some other configuration in your tenant that is preventing this from working. Have you opened a support ticket yet?
Hi @gauravsajwan1 ,
Please make sure these are not birthright roles. If they are assigned based on membership criteria and user is still satisfying the membership then we cannot remove such roles from workflow.
Hi @Abhinov7 - these roles are requestable and not assigned as birth right.
@colin_mckibben - haven’t yet, will do!
Hi, I read the workflow documentation and it’s mentioned there how the structure for input JSON should be like for “Manage Access” -
In my case, input JSON looks different (doesn’t have “access items” in it) -
I will definitely raise this with SP Support team, but just curious if this is happening only with me or some role misconfig or expected behavior with Manage Access step for Remove action?
Would appreciate if it’s possible for you to run a test and share how’s it looking at your side?
I don’t think it has to do with the workflow config. The error suggests that the payload is being sent correctly from the workflow, but IdentityNow can’t process the request because one of those roles can’t be removed for some reason. Try running the submit access request API endpoint to revoke those roles and see what you get. Maybe you can narrow it down to a single role that is causing the issue.