Workflow - Cancel Pending Access Requests of a User

nhassan · March 21, 2024, 12:21pm

Hi All,

Is to possible to cancel all pending access requests of the user via a workflow?

Use case:

When the user lifecycle state is changed to inactive (e.g leaver)
Workflow makes HTTP request to IDN to retrieve all pending access requests of the triggered identity
Using a loop, another HTTP request to IDN to cancel their pending requests

First, using this API call to find the access request status of the triggered identity list-access-request-status | SailPoint Developer Community but I am not sure what would be the possible values for RequestedItemStatusRequestState.

Then another API call to cancel the access requests cancel-access-request | SailPoint Developer Community or close access request close-access-request | SailPoint Developer Community of the triggered identity.

Can you please help me with the steps and details needed for each HTTP Request action?

Thanks

iamology · March 21, 2024, 1:06pm

You can use Pending Access Requests beta API with filter requestedFor.id eq ID_FROM_TRIGGER and iterate through the array using loop where you can send a HTTP request to cancel the access request.

Swegmann · March 21, 2024, 1:18pm

Hi Noor!

I would set up a workflow with firstly a HTTP call as input to a loop:

HTTP Request 1:

GET {{baseUrl}}/v3/access-request-approvals/pending?filters=requestedFor.id eq "{{$.trigger.identity.id}}"

This way you will get all pending approvals for the specifik identity using filter: requestedFor.id

This HTTP request becomes the INPUT for a LOOP.

Inside the Loop, configure a 2nd HTTP request:

HTTP Request 2:

POST {{baseUrl}}/v3/access-request-approvals/{{$.loop.loopInput.id}}/reject

Body:

{
  "comment": "Automatic rejection of pending requests for leaver identity"
}

This HTTP request will reject every pending access object in the list that you fetched before the Loop, for the specific identity.

Might be good to have some null checking before the very first HTTP request as well to avoid errors

I believe these 2 HTTP requests is all you need for the use-case. You can add some “Send Email” actions wherever you wish for better clarity.

Hope it helps!

nhassan · March 22, 2024, 12:03pm

@Swegmann and @iamology

Thanks for your help with this. Appreciated!

I’ve successfully tested this workflow in sandbox.

@Swegmann I had to use a loop and the workflow runs successfully regardless whether the HTTP request has got a null value.

polaraojalligampala · April 15, 2024, 1:41pm

Hi @nhassan ,
Could you please provide the steps of the workflow?

nhassan · April 24, 2024, 12:00pm

Hi @polaraojalligampala

Screenshot of the steps and JSON script of the workflow are attached.

You can use this template and change these details accordingly (i.e tenant name, client ID and client secret in your HTTP Request action.

RejectLeaversPendingAccessRequests20240424.json (3.0 KB)

Topic		Replies	Views
How to cancel/terminate the pending manual workitems IIQ Discussion and Questions workflows , identityiq , provisioning	3	496	November 20, 2023
Cancel pending access requests ISC Discussion and Questions	8	2861	July 19, 2023
Need script to bulk task closure through IDN workflow by leveraging the sailpoint IDN V3 API ISC Discussion and Questions apis , identity-security-cloud	1	159	January 21, 2024
Prevent access requests for Inactive users ISC Discussion and Questions identity-security-cloud , access-requests	16	547	December 3, 2023
Generic Workflow to Auto-Approve/Reject an access request ISC Show and Tell workflows , identity-security-cloud , access-requests	11	1066	February 19, 2024

Workflow - Cancel Pending Access Requests of a User

Related Topics