Remove all entitlements with workflow

Hi, I need to remove all entitlements from some identity. Testing workflow appears to be successful, but entitlements are not removing from identity. I suspect I am not entering the correct json path on Manage Access box.

As Loop variable $.getAccess.accessItems is mapped to Get Access output, $.loop.loopInput should be right variable input to Manage Access? No errors shown on workflow builder or workflow testing.

1 Like

Hi Julian.

I think your issue is the same as this post. You are not properly referencing the identity ID from the loop context. Please see my reply to this other post on the correct JSONpath. This is assuming the value you put inside your loop context was just the $ .

@jsosa were you able to resolve this? If so, what was the issue?

Hi Colin, sorry I forgot to return here. I was not able to get objective using the Get Access / Manage Access actions. Instead I replaced the Get Access with a HTTP action, calling the search api to find user entitlements, and then replaced Manage Access action with another HTTP action, this time removing each entitlement as a request.

First HTTP Request JSON Body:

{
  "indices": [
    "identities"
  ],
  "query": {
    "query": "id:{{$.trigger.identity.id}}"
  }
}

Loop input:

$.hTTPRequest.body[0].access[?(@.type == "ENTITLEMENT" && @.source.name == "Active Directory")]

Loop context:

$.trigger.identity

Second HTTP Request JSON Body:

{
  "requestType": "REVOKE_ACCESS",
  "requestedFor": [
    "{{$.loop.context.id}}"
  ],
  "requestedItems": [
    {
      "comment": "Please remove",
      "id": "{{$.loop.loopInput.id}}",
      "name": "{{$.loop.loopInput.name}}",
      "type": "{{$.loop.loopInput.type}}"
    }
  ]
}
2 Likes

@jsosa would you mind sharing the JSON output of this workflow?

I am attempting to do the same thing but having trouble with my “HTTP Request 1” properly accepting the Loop Input variable

1 Like

A post was split to a new topic: Unable to reference identity ID in loop context

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.