Validating Multiple Entitlement SoD Conflicts in a Single Request using /sod-violations/predict

We’re using IdentityNow and have a workflow that checks for SoD conflicts using the built-in SoD policy trigger. This works well when the user already has access A and requests B, and a conflict is identified.
However, we’re facing a limitation when two conflicting entitlements are requested at the same time (i.e., in the same access request). In this case, IdentityNow does not detect the conflict during the approval process.

Our Goal
To handle this use case, we’re trying to implement a second validation step using the IdentityNow API:
POST /sod-violations/predict
This API can check for conflicts between entitlements provided in the same payload.

Required Payload Format
We want to dynamically generate the following JSON structure inside the workflow, based on the entitlements requested:
{
“identityId”: “ID_OF_THE_IDENTITY”,
“accessRefs”: [
{
“id”: “ENTITLEMENT_ID_1”,
“type”: “ENTITLEMENT”,
“name”: “Entitlement Name 1”
},
{
“id”: “ENTITLEMENT_ID_2”,
“type”: “ENTITLEMENT”,
“name”: “Entitlement Name 2”
}
// … more entitlements …
]
}

What We’ve Done So Far
• The workflow starts with the default SoD validation trigger.
• If no violation is found there, and two or more accesses are requested:

1. We loop through each access profile in the request.

image594×440 36.6 KB

2. For each, we use an API call to retrieve the linked entitlements.
3. We collect the id and name of each entitlement.

image457×194 23.9 KB

image274×421 58.3 KB

So far, we’re able to gather a list of the entitlements requested.

The Challenge
We are now stuck trying to build the final JSON payload in the format above within the workflow, so that we can send it in an HTTP Request action to /sod-violations/predict.
My Questions:

1. Is it possible in IdentityNow workflows to dynamically construct a JSON object with a nested array (accessRefs) based on a looped list of entitlements?
2. If yes:
   o How should we structure the variables?
   o Can we use a combination of For Each and Build JSON/Write JSON actions to append objects to a JSON array?
   o Do we need to construct this manually as a string or is there a better native approach?
3. Does anyone have an example workflow or approach that builds a dynamic JSON payload like this in IdentityNow?
   
   

   image345×394 64.4 KB

Regards
Reinaldo Santos

Last I knew, workflow loops could not be used to build data lists. The Workflow continues on once the first loop is completed.

Second, the SOD Predict API states that it checks the values passed in against the existing access the user has. I don’t know that it will allow you to check access against the items in it’s list (this would be a good idea for the Ideas forum if it does not)

Reinaldo.

This is not possible as the SOD verification happens in two stages: The preventive , which happens in the access request. but the user need to have the any of the conflitant access. or Reactive when the violation already exist or happened and the owner is informed.

During the request if the user request two sod access as he has any no Preventive violation would happen.

Let me ping you on slack.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.