Workflow - Add User to Required Azure AD Group

nhassan · March 8, 2024, 3:09pm

Hi All,

I need to create a workflow to add user to the required Azure AD group (depend on which access profile is provisioned) once their access request is approved.

E.g I have below 5 requestable access profiles from different sources;

1: Access_Profile_1 from a non direct source
2: Access_Profile_2 from a non direct source
3: Access_Profile_3 from a direct source
4: Access_Profile_4 from a non direct source
5: Access_Profile_5 from a direct source

When user request is approved for one of the above 5 access profiles, then workflow should add this user to below respective Azure AD group. These groups are listed as entitlements in the Azure AD source but these are not the entitlements attached to above access profiles.

Azure AD groups:

For Access_Profile_1: User should add to this group (Test Azure AD Group1)
For Access_Profile_2: User should add to this group (Test Azure AD Group2)
For Access_Profile_3: User should add to this group (Test Azure AD Group3)
For Access_Profile_4: User should add to this group (Test Azure AD Group4)
For Access_Profile_5: User should add to this group (Test Azure AD Group5)

Can you please advise the steps on how to achieve this?

Thanks

atarodia · March 8, 2024, 3:45pm

Hi @nhassan,

The Trigger you will be using is “Access Request Decision” and then have a operator
compare string that will compare if Access Profile name ($.trigger.requestedItemsStatus[*].name) is Access_Profile_1, if true you will use create-access-request | SailPoint Developer Community to add groups you mentioned to the user.

If compare string gives you false, then you will compare the name of Access Profile is Access_Profile_2, if that gives you true you will again use create-access-request | SailPoint Developer Community and add Test Azure AD Group2.

Similarly compare for all the Access Profile names with $.trigger.requestedItemsStatus[*].name and do the create-access-request | SailPoint Developer Community API call.

Your workflow will look something like this:

nhassan · March 8, 2024, 5:04pm

@atarodia

Thanks for the update.

1: For HTTP Request i.e add user to a specific group (entitlement), what would be the following details?

Request URL: https://tenant.api.identitynow.com/beta/entitlements
Query Parameters: ?
Method: POST
Request Content Type: JSON
Request Body: ?

Can I achieve this (add user to a group) by using the ‘Manage Access’ action where ‘Access to Manage’ would be id of the group (entitlement)?

2: Please let me know if the following filter doesn’t seem right for the trigger (Access Request Decision).

$.requestedItemsStatus[?(@.id == “Access Profile1-id” || @.id == “Access Profile2-id” || @.id == “Access Profile3.id” || @.id == “Access Profile4.id” || @.id == “Access Profile5.id”)].approvalInfo[?(@.approvalDecision == “APPROVED”)]`

Thanks

atarodia · March 8, 2024, 5:25pm

Hello @nhassan,

For HTTP Request:
Request URL : https://sailpoint.api.identitynow.com/v3/access-requests
Method: POST
Request Content Type: JSON
Body:

{
  "requestedFor": [
    "<identityid>"
  ],
  "requestType": "GRANT_ACCESS",
  "requestedItems": [
    {
      "type": "ENTITLEMENT",
      "id": "<EntitlementID>",
      "comment": "Requesting entitlement through workflow"
    }
  ]
}

Yes you can also use Manage Access Action.

atarodia · March 8, 2024, 5:35pm

Your Manage Access action will look like:

{
  "addIdentities": "[f1exxxxxdeb8c988fa63b85c892]",
  "comments": "Test",
  "removeDuration": null,
  "removeIdentity": null,
  "requestType": "GRANT_ACCESS",
  "requestedItems": [
    {
      "id": "005588b23xxxx2041d48b55caad2",
      "name": "Azure Managed HSM RP",
      "type": "ENTITLEMENT"
    },
    {
      "id": "006973d33xxxx19eb20f0f995cd5",
      "name": "Azure Advanced Threat Protection",
      "type": "ENTITLEMENT"
    },
    {
      "id": "007dd08abxxxx8d1838f8d13af",
      "name": "Cloud Access Management kynzd",
      "type": "ENTITLEMENT"
    }
  ]
}

atarodia · March 8, 2024, 5:40pm

You may have to have you trigger configured like this:

$.requestedItemsStatus[?((@.id == "AP1-id" || @.id == "AP2-id") && @.approvalInfo[0].approvalDecision == "APPROVED")]

nhassan · March 11, 2024, 9:23am

Hi @atarodia

Thanks very much for your help with this

I will test the workflow in sandbox and will update you about the outcome or if I have any more questions.

atarodia · March 11, 2024, 10:02am

No Problem,

Don’t forget to mark my reply as solution if it works for you.

nhassan · March 11, 2024, 10:14am

No worries, I will definitely do as you said. Thanks

Topic		Replies	Views
Provision to an Active Directory group if the user has access to an Application ISC Discussion and Questions workflows , provisioning , entitlements	1	606	July 19, 2023
Designing IDN Workflow ISC Discussion and Questions workflows , aggregation , identity-security-cloud , provisioning , entitlements	4	204	March 3, 2024
How to create a Workflow/s that creates an AD group and a workgroup as approvers for that AD group IIQ Discussion and Questions workflows , apis , identityiq , provisioning	6	470	December 23, 2023
How to manage multi-source Applications and Access Profiles ISC Discussion and Questions identity-security-cloud , provisioning , access-requests	4	283	November 17, 2023
Mark Entitlements Non Requestable ISC Discussion and Questions workflows , identity-security-cloud , entitlements	4	206	March 24, 2024

Workflow - Add User to Required Azure AD Group

Related Topics