I’m planning to create a quarterly workflow in SailPoint that automatically initiates a review of all Org Admins. I would also like to assign myself as the designated reviewer for this process. What would be the most effective way to configure this?
Is this workflow part of the certification process or are you trying to use only workflows for reviews.
As you have mentioned “review of all Org Admins”, and you want to be assigned as a reviewer, this can be achieved through Certification campaign in ISC.
I want to use scheduled trigger workflow, and it must trigger quarterly
Hi @ROHPU
Welcome to SailPoint community.
You can use the search template with query “@access(source.name:IdentityNow AND value:ORG_ADMIN)” and then create a campaign via workflow every quarter.
Do you have a loopback connector enabled in your tenant because in order to revoke or keep the ORG_ADMIN access via campaign review process, this connector will make it easier to track the track actions.
if you are planning to manually review and take actions for campaign then I think the above query should be enough with workflow to launch the campaign.
Thank You.
Regards
Vikas.
1 Like
Can you please give me more details of how we can set up loopback connector?
Hi @ROHPU
The loopback connector building is something that will take time. There is already a standard connector available which you can check and see if that is enough for your use-case.
The idea of loopback-connector is basically that you can manage ISC user levels etc are as entitlements itself and with this you can even connect to your non-prod ISC tenants and then grant access to them from your prod tenant.
This way if you generate the campaign the from production tenant , then you can even review the user levels assigned to the admins in test tenants or dev tenant via single campaign.
There are lot many reasons to implement it and depending upon the use-case i have seen customers deciding to either build their own connector or use out of the box connector itself.
You can use below document for more information.
I hope this helps.
Regards
Vikas.
1 Like
SailPointAdminAccountReview20260406.json (2.1 KB) I’m trying to create a simple workflow just to verify that everything is working correctly before I move forward with more complex configurations. I’m copying and pasting my JSON below—could you please check where I might be going wrong? I just want to get a basic workflow running successfully first.
Welcome to the wonderful community @ROHPU
The main issue is that this workflow is creating an Identity certification, but the JSON still includes Access certification fields.
reviewerAccessConstraintIds, reviewerAccessItemType, and reviewerAccessOperator should be removed here.
Those are meant for ACCESS certifications, not IDENTITY certifications. For an identity campaign, the important fields are reviewerCertificationType: "IDENTITY", reviewerId, and reviewerIdentitiesToCertify. The community examples/docs follow that same pattern.
Also, reviewerId is blank in your JSON, so the campaign has no reviewer assigned.
One more small fix: since Get List of Identities returns full identity objects, I’d pass only the IDs into the campaign like this:
"reviewerIdentitiesToCertify.$": "$.getListOfIdentities.identities[*].id"
Campaign Step
"Create Certification Campaign": {
"actionId": "sp:create-campaign",
"attributes": {
"activateUponCreation": true,
"description": "Quarterly review of SailPoint ORG_ADMIN identities.",
"duration": "4d",
"emailNotificationEnabled": false,
"name": "Quarterly SailPoint Admin Review",
"recommendationsEnabled": true,
"reviewerCertificationType": "IDENTITY",
"reviewerId": "PUT_YOUR_V3_IDENTITY_ID_HERE",
"reviewerIdentitiesToCertify.$": "$.getListOfIdentities.identities[*].id",
"type": "REVIEWER_IDENTITY",
"undecidedAccess": false
},
"nextStep": "End Step - Success",
"type": "action",
"versionNumber": 2
}
Your schedule also isn’t quarterly yet. Right now it is configured as daily, so you’ll want to switch that to a quarterly cron pattern too.
1 Like
Hi,
@ROHPU another simple and Out to the box alternative can be to just setup a new source with Integrating SailPoint with Identity Security Cloud Governance connector.
This allow you to import ISC permissions and governance groups as entitlements and manage them.
For that new source you can create and schedule certification campaign by includes Identities with ORG_ADMIN entitlement directly in the UI.
SailPointAdminAccountReview20260407.json (2.2 KB) Thank you for the reply but my problem is here I am getting all the entitlement of these identities in the certification, but I want to create it for only ORG_ADMINS. can you please help me with this?
The reason you are still getting all entitlements is that the workflow is finding the right identities, but it is not constraining the campaign to the ORG_ADMIN entitlement ID.
In an ACCESS certification, reviewerAccessConstraintIds must contain the specific access item IDs you want reviewed. Right now you are passing $.getListOfIdentities.identities, which is a list of identity objects, not the entitlement ID for ORG_ADMIN. Also, SailPoint’s workflow action supports this kind of filtering for Access certifications, not for Identity certifications.
So the fix is:
- Keep
reviewerCertificationTypeasACCESS - Keep
reviewerAccessItemTypeasENTITLEMENT - Set
reviewerAccessConstraintIdsto the ID of the ORG_ADMIN entitlement - Pass only the identity IDs into
reviewerIdentitiesToCertifyusing$.getListOfIdentities.identities[*].id
{
"name": "SailPoint Admin Account Review",
"description": "Creates a certification campaign only for ORG_ADMIN access.",
"definition": {
"start": "Get List of Identities",
"steps": {
"Get List of Identities": {
"actionId": "sp:get-identities",
"attributes": {
"inputQuery": "@access(source.name:IdentityNow AND value:ORG_ADMIN)",
"searchBy": "searchQuery"
},
"description": "Get all identities that currently have ORG_ADMIN access.",
"nextStep": "Create Certification Campaign",
"type": "action",
"versionNumber": 2
},
"Create Certification Campaign": {
"actionId": "sp:create-campaign",
"attributes": {
"activateUponCreation": true,
"description": "Semi-annual review for ORG_ADMIN entitlement only.",
"duration": "14d",
"emailNotificationEnabled": false,
"name": "SailPoint ORG_ADMIN Review",
"recommendationsEnabled": true,
"reviewerAccessConstraintIds": [
"PUT_ORG_ADMIN_ENTITLEMENT_ID_HERE"
],
"reviewerAccessItemType": "ENTITLEMENT",
"reviewerAccessOperator": "SELECTED",
"reviewerCertificationType": "ACCESS",
"reviewerId": "PUT_REVIEWER_ID_HERE",
"reviewerIdentitiesToCertify.$": "$.getListOfIdentities.identities[*].id",
"type": "REVIEWER_IDENTITY",
"undecidedAccess": false
},
"description": "Create campaign only for ORG_ADMIN entitlement.",
"nextStep": "End Step - Success",
"type": "action",
"versionNumber": 2
},
"End Step - Success": {
"actionId": "sp:operator-success",
"type": "success"
}
}
},
"trigger": {
"type": "SCHEDULED",
"attributes": {
"cronString": "0 0 1 6,12 *",
"frequency": "yearly",
"id": "idn:cron-schedule",
"timeZone": "Asia/Calcutta",
"yearlyDates": [
"1"
],
"yearlyMonths": [
"Jun",
"Dec"
],
"yearlyScheduleType": "yearlyByDate",
"yearlyTimes": [
"1969-12-31T18:30:00.000Z"
]
}
}
}
You can test it first by hardcoding the ORG_ADMIN entitlement ID. Once that works, you can make that lookup dynamic later.
Hi @ROHPU
Your workflow looks good, just update this :
In Access Filter you should specified the ID of the ORG_ADMIN entitlement and this can be found in search UI by using the filter :
source.name:IdentityNow AND value:ORG_ADMIN
Or you can make it dynamic by using HTTP request.
1 Like
This is helpful, understood what is loop back connector and where it can be used
1 Like
Hi @BhanuK1 ,
Just for information : ISC has now an out to the box connector : Integrating SailPoint with Identity Security Cloud Governance equivalent of the loopback connector without any creation of custom connector or webservice.
Thank you for the information @baoussounda .
1 Like