Sending email to outside team for further access provisioning

IdentityIQ (IIQ) IIQ Discussion and Questions
, ,
1

Which IIQ version are you inquiring about?

8.3p3

Please share any images or screenshots, if relevant.

[Please insert images here, otherwise delete this section]

Please share any other relevant files that may be required (for example, logs).

[Please insert files here, otherwise delete this section]

Share all details about your problem, including any error messages you may have received.

We are trying to add an email notification to the end of the attached xml workflow that sends a notification if the extended attribute drop-down in the screenshot (Third-Party Notification) has been filled out with a group or identity. I need some help adding code into the attached workflow for this.

Request Access Workflow.xml (37.2 KB)

image
image808×715 36.5 KB

2

Hi Derrick,

Can you provide the plan or project from the logs in order to frame the logic for sending the email notification in the workflow.

Thanks,
Harshith

3

Hi Harsith, Could you please elaborate on what you are specifically looking for in the logs? Do you have a screenshot example?

4

Hi @derrickthomasvdot

You would see ProvisioningPlan in the logs in your instance. It would look something like this ..

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE ProvisioningPlan PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<ProvisioningPlan nativeIdentity="A1000003" targetIntegration="Saphire FP2-650" trackingId="dc25d96ae7e9476d953aab6c74b0822c">
  <AccountRequest application="Saphire FP2-650" nativeIdentity="MIRMATOU" op="Modify">
    <AttributeRequest name="Profiles" op="Remove" trackingId="c0a81d7397ea17278197ea17b87705a6" value="Z3S-ZSMO-ALL"/>
    <AttributeRequest name="Roles" op="Remove" trackingId="c0a81d7397ea17278197ea17b83a0598" value="Z6S_R-RFCALEADMIN"/>
  </AccountRequest>
  <Attributes>
    <Map>
      <entry key="source" value="Certification"/>
      <entry key="sourceId" value="c0a81d7397ea17278197ea17b8000591"/>
      <entry key="sourceName" value="FP-650 Certification - 08/07/25, 6:21:52 pm IST"/>
    </Map>
  </Attributes>
  <Requesters>
    <Reference class="sailpoint.object.Identity" id="c0a81d7394df129e8194df030ae200ff" name="spadmin"/>
  </Requesters>
</ProvisioningPlan>

PS, This is just some example plan

5

Hi @derrickthomasvdot ,

It will depend on the requirement , there will be basically two scenario -

  1. You want to send email if it is approved .
  • you can customize your approval and provision workflow.
    in approval workflow , you can fetch the approval set and from that approval item , check if it is approved or not .
  • if it is approved then fetch the managed attribute on the basis of approval item using (ManagedAttributer class ) or up to you .
  • Fetch the extended attribute and put down a step and send the email.you would have to prepare email template etc . you can send email using workflow action or context.sendEmailNotification.
  1. Approval does not matter at all , anyhow you want to send the mail
  • you can put a step after Notify step.
  • Fetch the provisiong Plan.
  • Fetch the account request and then attribute request.
  • again fetch the managed attribute on the basis of attribute value.
  • prepare email template etc and send the notification.

I would say first finalize your requirement and go through above approach.

feel free to reach out in case you need further help .

6

I have attached an example of the provisioning plan that was found recently in the logs. I am trying to see exactly where my approval workflow is located. I can also create the email template but exactly where do I put the step and what exactly would the step say/script? Before then, what could write if it is approved and where?

7

SailPoint Access Request Example.txt (17.3 KB)

8

Hi @derrickthomasvdot

Please use this sample script to get the role details and send email notification, you can customize it a bit according to your need.
In workflow you can add a Step after Identity Request Notify add this logic and send email.

Thanks,
Harshith
Sample-Email-Rule.xml (1.6 KB)

9

Harshith, your xml file is not opening and is giving the following error

This page contains the following errors:

error on line 1 at column 1: Start tag expected, ‘<’ not found

10

Could you please attache the correct sample-email-rule.xml file?

11

You can retrieve the value of the Roles extended attribute and check if it is set to “Third-Party Notification”. If so, proceed to invoke the Notification step to send the email.

You can implement this using either of the following approaches:

<Step action="call:sendEmail" icon="Email" name="Notification Step">
    <Arg name="template" value="ref:EmailTemplate"/>
    <Arg name="to" value="script:managerEmail"/>
	<Arg name="attributename" value="script:attributevalue"/>
</Step>

  EmailTemplate emailTemplate = context.getObjectByName(EmailTemplate.class,templateName);
      if(null != emailTemplate)
      {
	    HashMap params = new HashMap();
		params.put("requesteeDisplayName",requesteeDisplayName);
        EmailOptions ops = new EmailOptions(recipient,params);		
        context.sendEmailNotification(template,ops);
      }
12

2 questions.

  1. Where do I put these 2 codes? Do they go in the request access workflow at the end of the xml file?
  2. Where excatly am i checking the value for the ext role attribute? in the debug page under what object?
  3. Also, we want to only send the email needed if the “3rdpartynatification” has been filled out.
13

All, more assistance would be appreciated

14

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.