Remove all Access when user state changes from Inactive to Terminated

Hi All,

I have configured workflow which removed the entitlement when user lifecycle state changes from Inactive to Terminated.

1. Detect Trigger
2. Get Access : Entitlement
3. Using Loop with LoopInput : $.getAccess.accessItems[*]
4. Manage Access : Request Type : REMOVE

But I want to remove, Role + Access Profile + Entitlement (ALL)
I tried to check mark all the options (Get Access Profiles + Get Roles + Get Entitlements), but no luck.

I tried differnet workflow using the HTTP Request but that does not remove the birthright access.

Requirement is to removes all the access (birthright + access requested)
Please assist

Hey Ritika,

When you say:

Do you mean you don’t get all the accesses ( ent + role + access profile ) or are you not able to remove those accesses?

Hi Zeel,

I am not able to remove

Any error message you get? Might help to debug the issue.

This use case can be handled using 3 steps:

1. Use Identity profile config to auto remove entitlements for sources.
2. Use before provisioning rule to remove residual entitlements.
3. Use this workflow to remove all sticky Roles and other access items by submitting revoke access request. Workflow - Remove Entitlements from selected source - #7 by colin_mckibben

image1712×684 64.9 KB

Config,

image1234×520 39 KB

image1321×580 29.1 KB

image1364×570 31.8 KB

image1396×558 31.7 KB

@RitikaK

After Get Access action, can you directly pass on the input to Manage Access action instead of looping using loop operator?

image905×348 15.1 KB

Also please check the JSON input to the Mange Access Action for troubleshooting
Thanks

please help me with the Http operation, if I want to remove all the access Profile + All Roles + All Entitlements
is this correct approach?
$.hTTPRequest.body[0].access[?(@.type == “ACCESS_PROFILE” && @.type == “ENTITLEMENT”)]

Hi @RitikaK

Having problem when tried to remove all access. The fact is that Manage Access input should be the Get Access output, and there is a limitation of revoking only one entitlement at a time.

Your approach is fine, you have only to change 4 - Managge access for an HTTP Request action, on which it calls the ISC API to remove each account.

image1250×573 38.6 KB

image1245×632 47.6 KB

image1243×583 46.9 KB

image1282×551 49.2 KB

In this case, JSON body should be:

{"requestType":"REVOKE_ACCESS","requestedFor":["{{$.loop.context.id}}"],"requestedItems":[{"comment":"Usuario Desligado","id":"{{$.loop.loopInput.id}}","name":"{{$.loop.loopInput.name}}","type":"{{$.loop.loopInput.type}}"}]}

• note that I changed names to be more readably, but Get Entitlements is a Get Access action.

As you need to revoke all types, you can make 3 HTTP Request actions in cascade, each with each type hardcoded (with 2 string compare operations checking what type comes in the loop item).

with reference to,
Remove all entitlements with workflow - Identity Security Cloud (ISC) / ISC Discussion and Questions - SailPoint Developer Community

is this correct approach to remove both Ent and AP in Loop Input?
$.hTTPRequest.body[0].access[?(@.type == “ACCESS_PROFILE” && @.type == “ENTITLEMENT”)]

@RitikaK this is what you need

Best!

@RitikaK no, because each body call must be ENTITLEMENT OR ACCESS_PROFILE OR ROLE. That’s why you should follow this approach, with the difference to have 3 HTTP Request, one for ENTITLEMENT, other for ACCESS_PROFILE and other for ROLE.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.