Remove membership from Active DIrectory using Workflows

hi,

I have a use case where i need to remove membership from Active Directory Groups that are not provisioned outside of Sailpoint (i dont need to worry about access granted through Access Profiles/Roles, bcos Sailpoint will handle them). This should happen when a user changes department. I am trying to do this through workflows.
I have tried the search api (with standalone attribute to true, that helps me identify entitlements that are not provisioned through Sailpoint)

I have tried to use the “Manage Access” action, but that does not seem to work. I know i can use powershell etc, but that would not update the source until the next aggregation, Is there a way to make it work with workflows.

Thanks,

Raj

Few questions,

1. What is not working in the Workflow?
2. Are those entitlements part of any roles or access profiles which can still assigned to the identities and in your scope?

Based on your comment, you can use the Search based certification via API within a workflow to revoke the access which you get from your search results. Keep it in mind that those entitlements still get assigned to the identity if those are part of any roles or identity profiles which already assigned to any of these identities.

Below are few links which may help in your case

Workflow to remove access by identity based on special conditions - Identity Security Cloud (ISC) / ISC Community Knowledge Base - SailPoint Developer Community

Workflow Loop error- RemoveAccess not working inside loop - Identity Security Cloud (ISC) / ISC Discussion and Questions - SailPoint Developer Community

Hi Raj,

Try using a search to get standalone access, e.g. following body.

{"indices":["identities"],"query":{"innerHit":{"query":"standalone:true AND NOT source.id:123","type":"access"},"query":"id:\"{{$.trigger.id}}\""}}

You should be able to pass this into a Manage Access step to revoke the standalone access