Workflow - Auto Deny/Reject Access Request based on a Condition

I’ve a use case for a workflow where it auto cancels/rejects access request that is submitted for some specific access profiles, if it doesn’t have an expiry date.

When an access request (Grant) is submitted in the GUI for some specific access profiles, then workflow should perform the following actions to auto reject / deny the access request before going to the approval stage and emails the requester saying the access request doesn’t have an expiry date, so please re-request this access with an expiry date.

1: Trigger (Access Request Decision) - Would this trigger work as I think the JSON payload needs approvalInfo (APPROVED or DENIED) in the filter? Would these filters work before going to the approval stage?

$.requestedItemsStatus[?(@.name == "Access Profile1" || @.name == "Access Profile2")] OR
$.requestedItemsStatus[?(@.name =~ /AWS_Test.*/i) || (@.name =~ /AWS.*.Nonprod.*.Test.*/i)]

Note: I can’t see any trigger other than ‘Access Request Decision’ that catches grant access request on the fly as soon as it’s submitted in the GUI and then we can perform desired actions. If I use ‘Scheduled Trigger’, set it to runs every hour, then there is a chance that this request might get approved before the next workflow run. It would be nice to implement the ‘Access Request Submitted’ trigger as mentioned in this SailPoint Idea as this would help resolve lots of our queries/issues.

2: Action (HTTP GET Request) - API call to v3/access-request-status endpoint OR v3/access-request-approvals/pending to get the removeDate i.e expirydate value. Using v3/access-request-status endpoint, the accountActivityItemId doesn’t return the JSON of the access request to check for removeDate value. What filter can be used here?

3: Operator (Verify Data Type) - Checks the removeDate ($.hTTPRequest.body.removeDate) and if it exists, then ends the workflow (go to step 6), but if the value is null then go to step 4

4: Action (Deny Access Request) - Gets the triggered accessRequestId ($.trigger.accessRequestId) and deny it with comments.

5: Action (Send Email) - Sends email to the requester ($.trigger.requestedBy.id) saying "this request has been denied, please re-request this with an expiry date.

6: End Step - Success

Any thoughts on this would be appreciated.

Thanks

Hi @nhassan,

The access request decision trigger kicks in only after the request is approved/rejected. So your use case may not work.

image1007×633 69.1 KB

The Access Request Submitted trigger is available in the event triggers though.

Hi @nhassan - You should be able to use “Access Request Submitted” event trigger and initiate a workflow. This workflow will further check the conditions and approve/reject based on this documenation “Responding to Response Required Triggers | SailPoint Developer Community” .

Here’s the high level flow -

Subscribe “Access Request Submitted” Event Trigger > Initiate Workflow > Validate expiration date > Approve/reject as interim approval step.

If the request is rejected via API, it will not go to further approvals.

We have achieved the similar use case with this approach.

@smukhija Thanks for your update.

We already have subscribed to the ‘Access Request Submitted’ event trigger and it has already been configured/setup for auto-approval for a custom application.

It seems this event trigger can only have one subscriber per event. Please correct me if I am wrong.

There is a need of a new trigger available (Fire and Forget) so we can we use it in the Workflow GUI to perform different actions.

Thanks

Hi @nhassan ,

As per the documentation, fire and forget triggers can have 50 subscribers and response based trigger can have only 1 subscriber.
check out the link for info:Trigger Types | SailPoint Developer Community

image888×189 9.8 KB

image886×148 8.89 KB

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.