Sailpoint workflows usecases

Saibo23 · May 26, 2025, 1:53pm

Hi Sailers,

I am trying to learn sailpoint coding and got stuck with understanding how and where exactly should i be changing the subprocess in workflows based on a usecase. Appreciate if someone can post a usecase and the exact things to be modified in a provisioning workflow or any of its subprocess.

rpriya · May 26, 2025, 2:09pm

In workflows, subprocesses are defined using the <WorkflowRef> tag, which includes the name and ID of the sub-workflow. To invoke a different workflow, simply replace the existing workflow’s name with the desired one.

Share more details about your specific use case

saiprashanth88 · May 27, 2025, 5:12am

Hi Bharath,

Here’s a simple use case that involves modifying a subprocess in the provisioning workflow, specifically the “Approve and Provision” subprocess:

Use Case: Two-Level Approval (Manager + Entitlement Owner)

Imagine you have certain entitlements that require approval from both the user’s manager and the entitlement owner during an access request.

To implement this:

Steps to Modify Workflow:

Write an Approval Assignment Rule:

This rule defines who needs to approve based on the entitlement.
You can check if the entitlement requires dual approval and add the manager and owner accordingly.

LCM Provisioning Workflow

This is the main workflow triggered during access requests.
It has a step called “Approve and Provision”, which calls the subprocess: “Approve and Provision Subprocess”

Open “Approve and Provision Subprocess”

Inside it, locate the step named “Approve”.

Edit the “Approve” Step

Assign your custom Approval Assignment Rule here.
This rule returns a list of approvers (e.g., manager + entitlement owner).

This is a scenario where you modify a subprocess (Approve and Provision) and apply business logic using a custom rule to meet access governance requirements.

Note:

It’s not recommended to modify OOB workflows directly.
Best practice: Copy the workflow and subprocess, rename them, make your changes, and use the new versions.

king075 · May 28, 2025, 1:57am

Hi Bharath,

You can refere the another workflow by using below syntex in workflow steps

<WorkflowRef>
      <Reference class="sailpoint.object.Workflow"  name="LCM Create and Update Immediate Termination"/>
    </WorkflowRef>

Additionaly, you have to supply all the input variables to the worflow from the same step like below

<Arg name="approvalScheme" value="ref:approvalScheme"/>
    <Arg name="fallbackApprover" value="ref:fallbackApprover"/>

Also, if you are expecting any result/return variables from the sub-workflow you have to add the return argument, like below in the same step

<Return name="project" to="project"/>

Below is the example for your reference

<Step name="Process Plan" posX="1005" posY="7">
    <Arg name="approvalScheme" value="ref:approvalScheme"/>
    <Arg name="fallbackApprover" value="ref:fallbackApprover"/>
    <Arg name="endOnManualWorkItems"/>
    <Arg name="userEmailTemplate" value="User_EndDate_Change_Notification"/>
    <Arg name="policiesToCheck"/>
    <Arg name="workItemPriority"/>
    <Arg name="workItemComments" value="ref:comments"/>
    <Arg name="identityRequestId"/>
    <Arg name="source"/>
    <Arg name="identityDisplayName" value="ref:identityDisplayName"/>
    <Arg name="foregroundProvisioning"/>
    <Arg name="approvalMode" value="serial"/>
    <Arg name="batchRequestItemId"/>
    <Arg name="trace" value="true"/>
    <Arg name="doRefresh" value="true"/>
    <Arg name="endOnProvisioningForms"/>
    <Arg name="approverElectronicSignature"/>
    <Arg name="plan" value="ref:plan"/>
    <Arg name="flow" value="Disable Identity"/>
    <Arg name="identityName" value="ref:name"/>
    <Arg name="notificationScheme" value="ref:notificationScheme"/>
    <Arg name="approvalSet"/>
    <Arg name="policyViolations"/>
    <Arg name="policyScheme"/>
    <Arg name="approvalForm"/>
    <Arg name="requesterEmailTemplate" value="TerminateUser Requester Rejection Notification"/>
    <Arg name="approvalEmailTemplate" value="ref:initialApprovalEmailTemplate"/>
    <Arg name="ticketManagementApplication"/>
    <Arg name="optimisticProvisioning"/>
    <Arg name="securityOfficerEmailTemplate"/>
    <Arg name="securityOfficerName" value="ref:securityOfficer"/>
    <Arg name="managerEmailTemplate" value="ref:managerEmailTemplate"/>
    <Arg name="ticketId"/>
    <Arg name="comments" value="ref:comments"/>
    <Arg name="oldEndDate" value="ref:oldEndDate"/>
    <Arg name="userType" value="ref:userType"/>
    <Arg name="workItemHoursTillEscalation" value="ref:workItemHoursTillEscalation"/>
    <Arg name="workItemMaxReminders" value="ref:workItemMaxReminders"/>
    <Arg name="workItemHoursBetweenReminders" value="ref:workItemHoursBetweenReminders"/>
    <Return name="project" to="project"/>
    <WorkflowRef>
      <Reference class="sailpoint.object.Workflow" name="LCM Create and Update Immediate Termination"/>
    </WorkflowRef>
    <Transition to="Refresh Identity"/>
  </Step>

Saibo23 · May 28, 2025, 6:50am

Thankyou Priya, Appreciate your inputs !

Saibo23 · May 28, 2025, 6:52am

Thankyou Prashanth for your reply. May i know if there is anyway i can find such usecases which we handle in realtime projects .

Saibo23 · May 28, 2025, 6:53am

Thankyou Ramanayya for your reply. it is quite informative.

saiprashanth88 · May 28, 2025, 7:55am

Hi Bharath
You can refer this presentation, so that you can get better understanding on workflows.
IdentityIQ_Advanced_Provisioning_and_Workflows_8.2b_-_Student_Presentations.pdf (6.9 MB)
Additionally you can enroll in this course on SailPoint University

This gives you better understanding and you can relate to realtime usecases once you have good idea.
For your ref:
LCM Subprocess Workflows
Lifecycle Manager Workflows