Workflow Assistance - Sending emails after access is granted

What I am trying to accomplish is for a workflow to send a notification to someone when access has been granted to certain roles, access profiles, or entitlements.
I have created metadata tags that indicate who should be notified. I have chosen the “Provisioning Completed” trigger to kick off the workflow. The event body contains the roles and entitlements that were added or removed. I created a role with one access profile and two entitlements.
The workflow will have several loops, the first one is for handling entitlements that were added, and uses this expression as the loop input:
$.trigger.accountRequests[*].attributeRequests[?(@.operation == "Add" && @.attributeName == "memberOf")].attributeValue

In my sample role, the two entitlements get evaluated as:
"loopInput": "[CN=G_Test,OU=Groups,OU=Rose Hills,OU=Accounts,DC=corp,DC=test, CN=GPAP-XA-LIGHTHOUSE-SRS,OU=Groups,DC=corp,DC=test]"

However, this is not an array. My loop executes 1 time instead of two. Is there a way to split the input into the two elements?

Hi @BCyr,

Please note that within the “Provisioning Completed” trigger, you do not have direct access to roles or access profiles that have been granted. Instead, you can only access the provisioning plan, which contains information about sources, entitlements to add or remove in target systems, and other attribute modifications or enable/disable operations.

Therefore, with this solution, you can send an email based on entitlement assignments.

Also, in your workflow, you need to pass the following input:

$.trigger.accountRequests[*].attributeRequests[?(@.attributeName == "memberOf" && @.operation == "Add")]

or

$.trigger.accountRequests[*].attributeRequests[?(@.attributeName == "memberOf")]

Here, “memberOf” is specific to Active Directory. The first JSONPath filter will retrieve all “Add” operations on “memberOf” (i.e., adding an AD group). The second filter will retrieve all provisioning operations on “memberOf” (i.e., adding or removing an AD group to an account).

Below is an example of the “Provisioning Completed” trigger input (example from SailPoint documentation):

{
  "trackingNumber": "4b4d982dddff4267ab12f0f1e72b5a6d",
  "action": "IdentityRefresh",
  "requester": {
    "id": "2c91808b6ef1d43e016efba0ce470906",
    "name": "Adam Admin",
    "type": "IDENTITY"
  },
  "recipient": {
    "id": "2c91808b6ef1d43e016efba0ce470909",
    "name": "Ed Engineer",
    "type": "IDENTITY"
  },
  "errors": [
    "General Error",
    "Connector AD Failed"
  ],
  "warnings": [
    "Notification Skipped due to invalid email"
  ],
  "sources": "Corp AD, Corp LDAP, Corp Salesforce",
  "accountRequests": [
    {
      "source": {
        "id": "4e4d982dddff4267ab12f0f1e72b5a6d",
        "name": "Corporate Active Directory",
        "type": "SOURCE"
      },
      "accountId": "CN=example,ou=sample,ou=test,dc=ex,dc=com",
      "accountOperation": "Modify",
      "provisioningResult": "committed",
      "provisioningTarget": "Corp AD",
      "ticketId": "72619262",
      "attributeRequests": [
        {
          "operation": "Add",
          "attributeName": "memberOf",
          "attributeValue": "CN=admin,DC=training,DC=com"
        }
      ]
    }
  ]
}

You must pay attention to the provisioningResult for each accountRequests entry, which indicates whether the user was successfully added to a group or not.

Additionally, for your use case, you should investigate whether using Out-of-the-Box Email notifications can help you.

Hi Chaithanya,
Where in the workflow we can write the code ? Could you please help ? ?

Thanks
Rakesh Bhati

1. The workflow is triggered by a post-provisioning event.
2. It starts with a “Process Provisioning” step that iterates through account requests, specifically looking for “Add” operations on the “memberOf” attribute.
3. For each iteration: a. It retrieves access details using the “Get Access Details” action. b. It then checks the metadata tags associated with the access item. c. If the first tag equals “notify”, it proceeds to send a notification. d. The notification is sent via email, with the recipient’s email address taken from the second tag. e. The email contains information about the granted access.
4. If the “notify” tag is not present, or after sending the notification, the loop continues to the next item.
5. The workflow ends successfully after processing all items.

I understand what you are saying, and my workflow already gets this far, but in your example, access was granted to a single AD group. My issue is that when there is more than one AD group assigned to the role, the value in

“attributeValue”: “CN=admin,DC=training,DC=com”

is a comma separated list of DNs. That value is a string, not an array, so how can I take that string and “loop through” it?
In my case, that attribute looks like this:

“attributeValue”: “[CN=G_Test,OU=Groups,OU=Rose Hills,OU=Accounts,DC=corp,DC=test, CN=GPAP-XA-LIGHTHOUSE-SRS,OU=Groups,DC=corp,DC=test]”

Hi @BCyr

Thank you for the questions.
May be I overlooked something but if you are able to get the roles, then perhaps instead of iterating through the event input, you can call below API via role

This shall give you an array of entitlements (same can be done for APs too ) which makes it easier to iterate though.

I hope this helps.

Regards
Vikas.

@BCyr understood now the issue.

Do you want to sent an email per entitlement ? you can use comparison operators.

I am intrigued. Can you elaborate?

Agreed, but it cannot confirm for me if adding the user to the entitlement was successful. I mean, the odds of adding a user to one AD group and not another would be pretty slim, so I could …dare I say it?.. “assume” that it all worked.

Hi @BCyr

Yeah you are right. But i believe if you gather the provisioning status from the trigger, then it should be fine i believe and if one entitlement was added successfully and other was not (lets assume) then during next aggregation ISC should automatically push it back to AD so should work.

But i am just trying to solve your problem as it got me thinking there has to be something we can try

So i am thinking about below approach

1. We have below input , i have removed the square brackets for which we can use substring method i think in workflow.

CN=G_Test,OU=Groups,OU=Rose Hills,OU=Accounts,DC=corp,DC=test, CN=GPAP-XA-LIGHTHOUSE-SRS,OU=Groups,DC=corp,DC=test

2. So the problem here is the loop operator is not working. For which i think we can try to make use of recursive workflow.
   The idea is from first workflow you pass the entire input and a trigger like this

{

"input":"[CN=G_Test,OU=Groups,OU=Rose Hills,OU=Accounts,DC=corp,DC=test, CN=GPAP-XA-LIGHTHOUSE-SRS,OU=Groups,DC=corp,DC=test]", 

"currentProcessedString":"[CN=G_Test,OU=Groups,OU=Rose Hills,OU=Accounts,DC=corp,DC=test, CN=GPAP-XA-LIGHTHOUSE-SRS,OU=Groups,DC=corp,DC=test]" //for first we pass the same value

}

3. The child workflow (recursive one) should then process this trigger value as below

4. Create a variable commaIndex that holds the value of first occurrance of comma in currentProcessedString input variable.

5. create another variable that uses the substring method on the variable currentProcessedString . Here you can pass the length as (0,commaIndex) which will give you first value.

6. now, we need the next array element so then you can use another substring method with parameters like (commaIndex+1, length), this will give you entire remaining string.

7. Again call this same workflow with below input ;

{

"input":"[CN=G_Test,OU=Groups,OU=Rose Hills,OU=Accounts,DC=corp,DC=test, CN=GPAP-XA-LIGHTHOUSE-SRS,OU=Groups,DC=corp,DC=test]", 

"currentProcessedString": "parameter evaluated in step 4"

}

9. I believe then you can terminate this recursive workflow when there is no comma available in currentProcessedString variable or when it is empty. That will be our base condition.

This is something you can try in my opinion but i am not aware what you are trying to achieve but it will definitely allow you to loop through the elements which are comma separated.

I hope this helps.

Regards
Vikas.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.