Removing user's accessprofile containing a string in name using workflow

yatharth_dutt · December 17, 2024, 4:01pm

Hi Team,

I am trying to create a workflow which will trigger when user changes department and should remove user’s access where the access profile name contains “Privileged access”

Search query being used to get access profiles with required keyword is “Privileged access”

While testing the workflow, I am getting following error in manage access action

I suspect this error could be there because user is not having all the access profiles which are being returned by get access method. Could you please suggest how this can be resolved?

JackSparrow · December 17, 2024, 4:19pm

Hi @yatharth_dutt ,

How are you filtering out the AP’s with “privilege access” name? Are you filtering them in manage access step? If possible, could you post the workflow JSON here?

yatharth_dutt · December 17, 2024, 5:44pm

Hi @JackSparrow,

I am filtering the access profiles using get access step.

iamnithesh · December 17, 2024, 5:48pm

Are these Access Profiles granted as a part of the Role? If so, you won’t be able to use “Manage Access” action to remove them.

yatharth_dutt · December 18, 2024, 6:15am

No, These access profiles are not part of a role. In current situation user is having 2 out of 3 access profiles which have "Privileged access” in their name.

sameertawargeri · December 18, 2024, 11:45am

Can you try this approach - using Get Access and loop
. Configure Get Identity immediately after trigger and get the identity from the trigger. Get Access action to get only access profiles. Perform loop over get access action’s access items (loop input - $.getAccess.accessItems). Within the loop, include Compare Strings(value 1-$.loop.loopInput.name) with contains “Privileged access”, if true perform Manage Access to remove the access

yatharth_dutt · December 18, 2024, 12:12pm

Hey @sameertawargeri,

This won’t work for us as the loop has a limitation of 100 inputs and in almost all cases user is going to have more than 100 access profiles.

sameertawargeri · December 18, 2024, 1:21pm

In that case try this, after Get Identity, setup HTTp request action to invoke v3-search api as request url. In the request body have something like below. Loop over the body response access profile name and within the loop perform Manage Access
Request Body

{
    "indices":[
        "identities"
    ],
    "query": {
    "query" : "attributes.email:\"{{$.getIdentity.attributes.email}}\"",
    "innerHit": {
            "type": "access",
            "query": "(type:ACCESS_PROFILE) AND displayName:\"*Privileged Access\""
        }
    },
    "queryResultFilter": {
      "includes": ["*"]
  }
}

yatharth_dutt · December 19, 2024, 7:31am

Hi Sameer,

Thanks for your help, This http request action helped in fetching the list of access profiles owned by user so I didn’t have to use a loop for removing access.

system · February 17, 2025, 7:31am

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Manage Access: Remove all Access Profiles or Roles ISC Discussion and Questions workflows	2	654	July 19, 2023
Workflow to remove all access profiles that start with "Azure" ISC Discussion and Questions workflows , identity-security-cloud	11	515	January 16, 2024
Workflows: Action "Manage Access" ISC Discussion and Questions workflows , identity-security-cloud	3	999	July 19, 2023
Need Help with Workflow to Remove Access Profile and Entitlement on User Inactivity or Information Change ISC Discussion and Questions workflows , identity-security-cloud , access-profiles , entitlements	17	739	August 24, 2024
Remove all Access when user state changes from Inactive to Terminated ISC Discussion and Questions workflows , identity-security-cloud	11	293	November 22, 2024

Removing user's accessprofile containing a string in name using workflow

Related topics