Using IdentityNow Workflows to Send a List of Uncorrelated Accounts After Aggregation

Introduction

The goal of this blog is to show how create a workflow that will send an email with a list of uncorrelated accounts to a source owner after each aggregation. This workflow can keep the source owner informed about uncorrelated accounts after each aggregation.

The notification will contain the following information:

  • Source Name
  • Number of uncorrelated accounts
  • A preview of the first ten uncorrelated accounts in table format
  • A direct link to the source uncorrelated export page

Workflow implementation

Here is the functional flow of the workflow steps :

Create a new workflow called “Send notification with uncorrelated accounts” and add the “Account Aggregation Completed” trigger as the first step.

As you can see in screenshot above, it possible to add an optional filter if you want to send notification only for specific sources.

$[?((@.source.name in ["My source 1", "My source 2", "My source 3"]) && (@.status == "Success"))]
  • This filter means a workflow will process only for the sources : “My source 1”, “My source 2”, “My source 3” and if the aggregation status is Success
  • You can replace “My source 1”, “My source 2”, “My source 3” with your source names and add more sources if you want.

Next, add an HTTP Request action beneath the trigger. This action will be used to fetch the list of uncorrelated accounts using the Accounts List endpoint. Configure it as follows

  • Token URL is in the following format: https://{tenant}.api.identitynow.com/oauth/token
  • Client ID and Client Secret are the obtained from your personal access token. See this guide for more information on generating a PAT.
  • Request URL is https://{{tenant}}.api.identitynow.com/v3/accounts?filters=sourceId%20eq%20%22{{$.trigger.source.id}}%22%20and%20uncorrelated%20eq%20true&count=true&limit=10
  • Leave the Request Content Type empty

After the HTTP Request, add a Verify Data Type operator to check if uncorrelated accounts are returned or not. If an item was returned, then we continue with next steps. If there was no item returned, we will terminate with “End Step — Success” operator. Configure the Verify Data Type operator as follows.

Connect the Verify Data Type “False” output to the “End Step — Success” operator and the “True” output to a new HTTP Request action.

This second HTTP Request action will be used to retrieve the source owner using the Get Source by ID endpoint. Configure it as follows

  • Token URL is in the following format: https://{tenant}.api.identitynow.com/oauth/token
  • Client ID and Client Secret are the obtained from your personal access token. See this guide for more information on generating a PAT.
  • Request URL is https://{tenant}.api.identitynow.com/v3/sources/{{$.trigger.source.id}}
  • Leave the Request Content Type empty

After the second HTTP Request, add another Verify Data Type operator to check if the source informations is retrieved correctly. Configure it as follow

Connect the Verify Data Type 1 operator “False” output to the new “End Step — Success” operator and the “True” output to the Get Identity action.

This Get Identity action will be used to retrieve the source owner email. Configure it as follow.

Next, add a Send Email action beneath the Get Identity action and connect its output to the new “End Step — Success” operator. This Send Email action will be used to send an email to the source owner. Configure it as follow.

image

  • Recipient Email Addresses : must contain recipients email addresses. In this case we use the source owner email with following JSONpath variable : $.getIdentity.attributes.email
  • Leave the Reply To Email Address and From empty.
  • Templating Context : is used to define variables that can be used in an email subject and body template. In our case we defining following variables:
{
	"accounts.$": "$.hTTPRequest.body",
	"aggregationCompletedDate.$": "$.trigger.completed",
	"ownerName.$": "$.getIdentity.attributes.displayName",
	"sourceName.$": "$.trigger.source.name",
	"totalAccounts.$": "$.hTTPRequest.headers['X-Total-Count'][0]",
	"uncorrelatedAccountsLink": "https://{{tenant}}.identitynow.com/ui/admin#admin:connections:sources:{{$.trigger.source.id}}:uncorrelatedAccounts"
}

In the value of uncorrelatedAccountsLink variable you must replace {{tenant}} with your tenant URL.

  • Subject : must contain an email subject. In this case we use: Uncorrelated accounts on source ${sourceName}
  • Body : Use the following template:
<!DOCTYPE html>
<html lang="en">
	<head>
		<meta charset="UTF-8" />
		<meta name="viewport" content="width=device-width, initial-scale=1.0" />
	</head>
	<body style="font-family: Arial, sans-serif; margin: 20px">
		<p>Hello <strong>${ownerName}</strong>,</p>

		<p>
			After aggregation on source <strong>${sourceName}</strong> at
			<strong>${aggregationCompletedDate}</strong>, <strong>
				${totalAccounts}</strong
			>
			uncorrelated accounts are detected.
		</p>
		<p>
			You can access export of uncorrelated accounts page
			<a
				href="${uncorrelatedAccountsLink}"
				style="color: blue; text-decoration: underline"
				>here</a
			>
		</p>

		#if($totalAccounts <= 10)
		<p>Below list of uncorrelated accounts :</p>
		#else
		<p>Below list of the 10 first uncorrelated accounts :</p>
		#end

		<table style="width: 100%; margin-top: 20px; border-collapse: collapse">
			<thead>
				<tr>
					<th style="border: 2px solid grey; background-color: #f2f2f2">
						account
					</th>
					<th style="border: 2px solid grey; background-color: #f2f2f2">
						displayName
					</th>
				</tr>
			</thead>
			<tbody>
				#foreach($account in $accounts)
				<tr>
					<td style="border: 2px solid grey; padding: 8px; text-align: center">
						${account.nativeIdentity}
					</td>
					<td style="border: 2px solid grey; padding: 8px; text-align: center">
						${account.name}
					</td>
				</tr>
				#end
			</tbody>
		</table>

		<p>Best regards</p>
		<p>IdentityNow Team</p>
	</body>
</html>

As you can see in the template we use different variables defined in the Templating Context.

Complete workflow and JSON file

Here is the complete workflow

And you can download the JSON file here:
SendNotificationForUncorrelatedAccountsV2.json (5.3 KB)

Testing the workflow

For testing this workflow, you can use the “Test workflow” button available in the UI :

image

This default input is provided as:

{
  "source": {
    "id": "4e4d982dddff4267ab12f0f1e72b5a6d",
    "name": "Corporate Active Directory",
    "type": "SOURCE"
  },
  "status": "Success",
  "started": "2020-06-29T22:01:50.474Z",
  "completed": "2020-06-29T22:02:04.090Z",
  "errors": [],
  "warnings": [
    "Account skipped"
  ],
  "stats": {
    "scanned": 200,
    "unchanged": 190,
    "changed": 6,
    "added": 4,
    "removed": 3
  }
}

Replace the id and name properties in the source object per your source id and name which you will use for testing.

Next , click on “Start workflow test” button and you should see a result like this:

The owner of the source should receive an email similar to this.

7 Likes