Hi Team,
I am testing the workflow, which will remove requestable roles and access profiles during termination. I’m seeing the positive result. I would like to remove the roles and access profiles only for few sources. Where I can apply the filter?
Also this workflow, doesn’t remove the access profile and roles, which having the entitlement in other Access profile and roles. I hope this is the product behaviour
Thanks in advance. Appreciate your help
Revoke.json (1.6 KB)
Hi @Shonnegowda,
Take a look at the below thread :
You can do an HTTP search and then loop the output of it. The loop input would look like something like this :
$.hTTPRequest.body[0].access[?(@.type == "ACCESS_PROFILE" && (@.source.name =="Source1" || @.source.name =="Source2"))]
Since Roles are not tagged to a source, I don’t think there is a direct way to filter them based on the source name. But if your role name contains the source name then you may be able to use a filter condition similiar to the one above.
You can leverage this item as well: Workflow to remove ALL leavers' standing access
If you need to add filters, you can update the search filters in the workflow linked in the above article. Try something like…
{“indices”:[“identities”],“query”:{“innerHit”:{“query”:“standalone:true AND NOT source.id:source ID AND NOT “name to filter””,“type”:“access”},“query”:“id:"{{$.trigger.id}}"”}} (e.g., for standalone entitlements)
Test these out by running the search through postman and making sure you get the results you want
The main issue is with Roles, since its not tagged to source. Currently we don’t have a naming convention followed with the sourcename to try this out
This may work for only the access profile and entitlements, since these are tied to source not for roles
It’s possible, but more complex to filter roles based on source. As you mentioned, roles contain access profiles, which may come from different sources. You would have get the details of each access profile in the role and match on any that come from the target source. Depending on your criteria, if a role has one or more access profiles that come from the target source, then you could remove access to that role. You could potentially automate this in a workflow by getting all the roles of the identity that are requestable, then using a loop to check the APs of each role. Use a search query to get all of the APs for each role in the loop and add a clause to the query that only returns APs that come from your desired source. If any APs are returned in the search, then remove that role for the user.
Thanks Colin for the input. The requirement got updated to remove roles for all the sources, so I’ve implemented the workflow without the filter
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.