I’ve a use case for a workflow where it auto cancels/rejects access request that is submitted for some specific access profiles, if it doesn’t have an expiry date.
When an access request (Grant) is submitted in the GUI for some specific access profiles, then workflow should perform the following actions to auto reject / deny the access request before going to the approval stage and emails the requester saying the access request doesn’t have an expiry date, so please re-request this access with an expiry date.
1: Trigger (Access Request Decision) - Would this trigger work as I think the JSON payload needs approvalInfo (APPROVED or DENIED) in the filter? Would these filters work before going to the approval stage?
$.requestedItemsStatus[?(@.name == "Access Profile1" || @.name == "Access Profile2")]
OR
$.requestedItemsStatus[?(@.name =~ /AWS_Test.*/i) || (@.name =~ /AWS.*.Nonprod.*.Test.*/i)]
Note: I can’t see any trigger other than ‘Access Request Decision’ that catches grant access request on the fly as soon as it’s submitted in the GUI and then we can perform desired actions. If I use ‘Scheduled Trigger’, set it to runs every hour, then there is a chance that this request might get approved before the next workflow run. It would be nice to implement the ‘Access Request Submitted’ trigger as mentioned in this SailPoint Idea as this would help resolve lots of our queries/issues.
2: Action (HTTP GET Request) - API call to v3/access-request-status endpoint OR v3/access-request-approvals/pending to get the removeDate i.e expirydate value. Using v3/access-request-status endpoint, the accountActivityItemId doesn’t return the JSON of the access request to check for removeDate value. What filter can be used here?
3: Operator (Verify Data Type) - Checks the removeDate ($.hTTPRequest.body.removeDate)
and if it exists, then ends the workflow (go to step 6), but if the value is null then go to step 4
4: Action (Deny Access Request) - Gets the triggered accessRequestId ($.trigger.accessRequestId)
and deny it with comments.
5: Action (Send Email) - Sends email to the requester ($.trigger.requestedBy.id)
saying "this request has been denied, please re-request this with an expiry date.
6: End Step - Success
Any thoughts on this would be appreciated.
Thanks