I am working on a simple wokrflow/work item where if an identity has a last logon date within a certain timeframe, a workflow is executed which generates a simple approve/reject work item. If the work item is rejected, the identity is offboarded (one step sets the identity to ‘terminated’, and the following step refreshes the identity to trigger the leaver workflow). However, I am not able to trigger the workflow. Here’s the caveat - this works consistently in our development environment, but not in our qa/test environment. Below are the two steps that set the employment status to terminated, and then refreshes the identity.
<Step icon="Default" name="Rejection - Offboard" posX="739" posY="13">
<Arg name="identityName" value="ref:identityName"/>
<Description>This step passes identityName to the 'trigger leaver' step to process the change to 'terminated'</Description>
<Script>
<Source>import sailpoint.object.Identity;
Identity identity = context.getObjectByName(Identity.class,identityName);
identity.setAttribute("employmentStatus","Terminated");
context.saveObject(identity);
context.commitTransaction();</Source>
</Script>
<Transition to="Trigger Leaver"/>
</Step>
<Step action="call:refreshIdentity" icon="Default" name="Trigger Leaver" posX="869" posY="19">
<Arg name="identityName" value="ref:identityName"/>
<Arg name="processTriggers" value="true"/>
<Arg name="checkHistory" value="true"/>
<Transition to="Stop"/>
</Step>
Our RapidSetup Leaver configuration is set so that if the employment status changes from Active to Terminated, the leaver workflow is triggered. Am I missing something? Is this even the right approach? What could I look for that might prevent the leaver workflow from triggering?
could you please share RapidSetup Leaver Triggrer configuration? Also try if triggrer is only employmentStatus equals “Terminated”, then in that case RapidSetup Leaver event should get triggred. Please try adding
We have two sets of identities - terminated is used for normal employees, and withdrawn is used for contractors.
I don’t know if you had pasted something to try in the refresh task, but I’m not seeing it.
I did add a decache and set ‘needsRefresh’ to true when committing the changes to the identity, as well as added additional options to the refresh method call
Refreshing does work normally. Promote Attributes appears to get the employment status from the linked HR application, which I am trying to avoid to trigger the leaver. I am aware that during an actual refresh, the identity will likely get rehired because they are active in their HR source (which I already brought up to management, but they insisted).
I would suggest to create a support case as in workflow refresh task sometime does not work as expected, i remember creating one for mySelf one. However if event Trigger is not important then you can consider triggering termination Workflow directly in place of refresh step.
I was able to invoke the rapid setup leaver workflow directly, and that executed fine, but the one thing I can see being an issue there is our auditors will not see an event on the identity cube, so I opted to not go that route.
<Step icon="Default" name="Rejection - Offboard" posX="739" posY="13">
<Arg name="identityName" value="ref:identityName"/>
<Description>This step passes identityName to the 'trigger leaver' step to process the change to 'terminated'</Description>
<Script>
<Source>import sailpoint.object.Identity;
import sailpoint.api.ObjectUtil;
import sailpoint.api.PersistenceManager;
import sailpoint.object.Identity;
import sailpoint.tools.Util;
import sailpoint.tools.GeneralException;
Identity ident = null;
try {
ident = ObjectUtil.lockObject(context, Identity.class, null, identityName, PersistenceManager.LOCK_TYPE_PERSISTENT,
Util.uuid(), ObjectUtil.DEFAULT_LOCK_TIMEOUT);
if ( ident == null ) {
return;
}
ident.setAttribute("employmentStatus","Terminated");
}catch (GeneralException ge) {
log.error("Error is=="+ge.toString());
}finally {
if (ident != null) {
if (ident.getLock() != null) {
ident.setLock(null);
context.saveObject(ident);
context.commitTransaction();
}
}
}
</Source>
</Script>
<Transition to="Trigger Leaver"/>
</Step>
<Step action="call:refreshIdentity" condition="ref:doRefresh" icon="Task" name="Trigger Leaver">
<Description>
Add arguments as necessary to enable refresh features. Typically you
only want this to correlate roles. Don't ask for provisioning since that
can result in provisioning policies that need to be presented and it's
too late for that. This is only to get role detection and exception
entitlements in the cube.
</Description>
<Arg name='identityName' value='ref:identityName'/>
<Arg name="processTriggers" value="false"/>
<Transition to="SomeOtherStep"/>
</Step>
</Step>
Make sure you have added below variable in your workflow:
<Variable name='doRefresh' editable='true'>
<Description>
Set to true to cause an identity refresh after the changes in the plan
have been provisioned. This is normally off, you might want this on
if you want modification of identity or link attributes to result in
an immediate re-evaluation of assigned and detected roles.
</Description>
</Variable>
So, what I ended up doing was in the Workflow, build a provisioning plan to set the employment status to ‘terminated’, and inactive to ‘true’, then pass that plan to LCM Provisioning. This seems to have the desired results.
