Salesforce: Need to setup an workflow when account disable is failed during termination

Identity Security Cloud (ISC) ISC Discussion and Questions
, ,
1

Hi All,
Use case: Need to trigger a email from sailpoint when salesforce account is failed to disable while user termination. Am trying to use the below Json to create work flow but its with validation errors.
{
“name”: “Notify Salesforce User on Disable Failure”,
“description”: “This workflow sends an email notification to the admin when a Salesforce account fails to disable in SailPoint.”,
“definition”: {
“start”: “Check If Salesforce Disable Failed”,
“steps”: {
“Check If Salesforce Disable Failed”: {
“type”: “conditional”,
“properties”: {
“condition”: “{{trigger.accountOperation}} == ‘Disable’ && {{trigger.provisioningTarget}} == ‘Salesforce’ && {{trigger.provisioningResult}} != ‘committed’”
},
“ifTrue”: {
“nextStep”: “Get Identity”
},
“ifFalse”: {
“nextStep”: “End Step — Success”
}
},
“Get Identity”: {
“actionId”: “sp:get-identity”,
“attributes”: {
“id.$”: “$.trigger.identity.id”
},
“description”: “Retrieves details of the affected user.”,
“nextStep”: “Send Email”,
“type”: “action”,
“versionNumber”: 2
},
“Send Email”: {
“actionId”: “sp:send-email”,
“attributes”: {
“recipients”: [
xxx@xxx.com
],
“subject”: “Salesforce Account Disable Failed”,
“body”: “Dear Admin,

The attempt to disable the Salesforce account for user ${displayName} was unsuccessful.

Please investigate the issue and take the necessary actions.

Regards,
Identity Management Team”,
“context”: {
“displayName.$”: “$.getIdentity.attributes.displayName”
}
},
“description”: “Notifies the admin that the Salesforce account disable action failed.”,
“nextStep”: “End Step — Success”,
“type”: “action”,
“versionNumber”: 2
},
“End Step — Success”: {
“type”: “success”
}
}
},
“trigger”: {
“type”: “provisioningActionCompleted”,
“attributes”: {
“filter.$”: “$.accountRequests[?(@.accountOperation == ‘Disable’ && @.provisioningTarget == ‘Salesforce’ && @.provisioningResult != ‘committed’)]”,
“id”: “idn:post-provisioning”
}
},
“enabled”: true
}

Can anyone please look in

2

image
image964×308 20.4 KB

3

Hi @nandiniks,

Since you are already filtering for the SF failed events in the trigger, you don’t need to recheck it in the compare operator. And looks like the compare operator had formatting issues.

Here is a modified version, you can try.

SFDisable20250214.json (1.5 KB)

4

HI Jesvin,
Thank you for the reply. Still the logic doesnot work. Error persists.
Nandini

5

Hi @nandiniks,

Can you download and attach your WF here.

7

Attached the json Jesvin. PLease review.

8

Hi @nandiniks,

You can use a 4 step WF as below :

image
image377×420 15.2 KB

In the trigger filter, try something as below, so that it checks for the source name as well as failure in a single step.

$.accountRequests[?(@.accountOperation == "Disable" && !(@.provisioningResult == "SUCCESS" || @.provisioningResult=="committed") && @.provisioningTarget == "SF")]

9

Thank You Jesvin, It worked. I also have a requirement to pull the account attribute into the email template. Am trying with below expression but seems not able to fetch.
{“accountId.$”: “$.getAccounts.accounts[?(@.sourceId==‘420af5bb17704a16b4be20241f88d10c’)].attributes.Id”}

10

Hi @nandiniks,

Try this - {"accountId.$": "$.getAccounts.accounts[?(@.sourceId=='420af5bb17704a16b4be20241f88d10c')].id"}

If you are looking for a specific account attribute, you will need to mention the attribute name that is in your account schema.

eg. if your account schema contains the attribute SF_username, you can use the below filter :

{"accountId.$": "$.getAccounts.accounts[?(@.sourceId=='420af5bb17704a16b4be20241f88d10c')].attributes.SF_username"}

11

Hi Jesvin, not working as expected. Am pulling this above expression with ${accountId} in template. Do we have any other solution?
Nandini

12

am using the below expression:
{“accountId.$”: “$.getAccounts.accounts[?(@.sourceId==‘420af5bb17704a16b4be20241f88d10c’)].id”}

13

Used both filters. but seems no luck

14

Try this - {"accountId.$": "$.trigger.accountRequests[?(@.source.id=="420af5bb17704a16b4be20241f88d10c")].accountId}

or try {{$.trigger.accountRequests[?(@.source.id=="420af5bb17704a16b4be20241f88d10c")].accountId}} directly in the email body.

15

Hi @jesvin90 - for the same use case we are running into a different challenge. Our workflow gets triggered and performs the actions fine, however, we enabled automated retry in case of provisioning failure. This leads to the workflow executing multiple times for the same failure, there’s no good way to filter out the retry failures. Any ideas there?

User A, source account disablement failed.
Provisioning retry #1 - User A, source account disablement failed.
Provisioning retry #2 - User A, source account disablement failed.
Provisioning retry #3 - User A, source account disablement failed.

Workflow executes 4 times; this would generate duplicate SNOW tickets in our case for the operations team.

16

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.