Verify Data Type Value Not Working

Identity Security Cloud (ISC) ISC Discussion and Questions
,
1

We have a use case where, during an access revocation request, we need to validate whether the user who initiated the request (requestedBy.id) is a member of a specific Governance Group. If the user is not a member, the access request should be automatically cancelled.

To implement this, we’re using the Access Request Submission trigger in a workflow. As part of the flow, we’re making an HTTP call (HTTP Request 6) to fetch the members of the Governance Group.

The response body returns an array of members, each with an id. We then attempt to match the requestedBy.id with one of these member IDs using a “Verify Data” step with a JSONPath condition like: $.hTTPRequest6.body[?(@.id=={{$.trigger.requestedBy.id}})] We also tried other variants:

  • $.hTTPRequest6.body[?(@.id=="{{$.trigger.requestedBy.id}}")]
  • $.hTTPRequest6.body[?(@.id=='{{$.trigger.requestedBy.id}}')]

However, none of these expressions are evaluating to true, even when the ID is present in the response. As a result, the workflow always follows the “false” path.
We cannot use the loop operator, because initiating a cancellation action inside the loop causes the workflow to attempt multiple cancellations, which fails due to SailPoint’s restriction on one cancellation per request.
We need a way to check if the requestedBy.id exists within the HTTP response’s array of Governance Group members, without looping, and only cancel once, if no match is found.

image
image460×705 13.3 KB

Need assistance on:

  1. Whether the Verify Data step can check existence within an array of objects using a dynamic value from the trigger payload?
  2. If not feasible via JSONPath, is there a recommended approach to avoid triggering multiple cancellation paths?
    image
    image466×439 21.2 KB
2

@Sandash, when you try the Verify Data step, it gives you back an array when you are using JSONPath, so it doesn’t just say true or false if there’s a match. To check if something exists in the list, it’s better to use a Transform JSON step first to filter it, then check if the result has anything in it using the length.

Yes. as mentioned above, you can use a Transform JSON step to filter the member list for matching IDs, then use a Verify Data step to check if the filtered result has a length of 0.

Here is an Example:

$.hTTPRequest6.body[?(@.id=='{{$.trigger.requestedBy.id}}')]
{{length($.transformStepName)}}

Good Luck!

3

@lipna , I am not clear on the solution. If $.hTTPRequest6.body[?(@.id==‘{{$.trigger.requestedBy.id}}’)] is supposed to work, then why do I need to check the string length? And how does length = 0 means that the match has been found?

4

Hi @sandashafreen26,

In the current workflow configuration, it would be difficult to compare array results.

Have you considered looping through each item in the HTTP request body and comparing it with the identity id.?

The loop input would be $.hTTPRequest.body[*].id
The context - $.getIdentity.id

Then you do a string compare on $.loop.loopInput contains $.loop.context inside the loop.

5

@sandashafreen26 , below is working for me, manually I have added the ID. Can you try storing {{$.trigger.requestedBy.id}} in a variable and then use the variable in verify data type step?

$.hTTPRequest.body[?(@.id=="118ea97a8e1b44bbbce6467b82d53854")]

image
image352×369 5.18 KB