Workflow - Checks whether leaver exists in any Governance Groups

Hi All,

I have a use case where we need to find out whether leaver is a member of any governance groups. Is this something achievable via a workflow? I was thinking to make an API call in the workflow to governance/workgroups endpoint to check if the leaver exists in any Governance groups.

I think via API, we can get the governance group id/name/description/owner/memberCount or list a specific group members. I am wondering whether I can use the search endpoint to look for the triggered identity (leaver) whether exist in any governance group.

If it’s possible via a workflow, can you please advise on the steps on how to achieve this?

Many thanks!

Hi @nhassan,

Yes you can acheive this with workflow.

• In first step you can use : “Identity Attributes Changed” Trigger to trigge on user lifeCyclestate change.

• After that you can use HTTP Action to get governance groups list (with list-workgroups | SailPoint Developer Community) and loop in this result

• Inside of loop, you can check with Comparison operator if members exist in this governance groups and get members of this governance groupe (with list-workgroup-members | SailPoint Developer Community) and checked if leaver is member of this governance group and then remove it with delete-workgroup-members | SailPoint Developer Community

The only problem that i see is the loop limation (to 100 items iteration) and governance group list member api can only get 50 members maximum at one call

Hi @baoussounda

Sorry for the late reply and thanks for your help.

I’ve not yet tried your suggested steps but will try this soon. We have more than 400 governance groups and I might use a recursive workflow to achieve this. The group list member api shouldn’t be a problem as each group has only a few members.

I’ll update you as soon as I test this.

Thanks

Hi @nhassan, you can control the Governance groups members by the following solution:

• Configure a SaaS connector to loopback the ISC permission and reflect the users who are members of a governance group, you can find the connector code in this blog IdentityNow Management Connector and make sure that you get the latest version from the github repo.

• You can tune the attached workflow that will be triggered when there is a leaver, it will search if the leaver has any governance group assigned to his loopback account as an entitlement with an access attribute “workgroups”, then it will loop removing the governance groups memberships.
  

  

  LeaversinGovernanceGroups220240205978×1053 44.8 KB
  
  LeaversinGovernanceGroups220240205 (1).json (2.6 KB)

Hope that helps, Let me know if you’ve any question.
Thanks!

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

There is a new filter parameter on the list governance groups API that will list all governance groups an identity is a part of. This is a much simpler solution to this problem than using a loopback connector. We are in the process of documenting the filter param, but you can use it like so:

GET /beta/workgroups?filters=memberships.identityId eq "2c9180867624cbd7017642d8c8c81f67"

This will return a list of all governance groups the identity is a member of.