Hi Team
We are trying to remove AD group memberships form source A and Source B during termination processing. We do not want to remove the AD group “Domain Users". All of the other groups should be removed.
There will need to be a trigger for the workflow, which can be the identity moving from the ‘Active’ lifecycle state to the ‘inactive’ lifecycle state.
In developer portal we found a similar requirement
(Workflow to remove ALL leavers' standing access)
But we want to do condition check if the entitlement name starts with cn=domain users we have to skip those.
Please suggest on how we can add this condition to the workflow.
You can achieve this by using Services Standard Before Provisioning rule provided by Sailpoint. Read attached document, specifically RemoveADEntitlements event action.
SSI BeforeProvisioning Rule - README.pdf (110.2 KB)
If you like to use a workflow, then you can get all entitlements of the user from AD source, and then using the Loop operator you can check if the entitlement contains Domain Users and if not, submit a REVOKE_ACCESS request to remove the entitlement
Hi Nitesh
Thanks for your response.
Previously i had worked on IIQ i was new to IDN. I was trying to use the workflow.
I got below Json to loop the standing access. And i was not able to check if the entitlement contains Domain Users or not and submit a REVOKE_ACCESS request to remove the entitlement. If you have any sample Json can you, please share it. Do we need to add any other step to check this condition?
Sample Json i was referring:
Leaver - ChildAccessRequests - RemoveStandingAccess.json (4.3 KB)
Hi Team
As work around first i was trying to remove entitlement from selected source. By referring the below post.
(Workflow - Remove Entitlements from selected source).
In loop input, specified a filter that will filter the sources that we are interested in revoking entitlements for.
Loop input:
$.hTTPRequest.body[0].access[?(@.type == “ENTITLEMENT” && @.source.name == “Active Directory DEV”)
But i was not able to filter the source, other entitlements are also getting revoked.
Do we need to make any changes?