I’m looking for validation and optimization suggestions for a workflow design in SailPoint Identity Security Cloud (ISC).
Scenario
I have an application/source ABC, configured using a Delimited File Connector, which contains multiple access profiles:
AP1, AP2, … AP10
I am designing a workflow for the ABC source with the requirement to automatically assign an additional access profile (AP11) — which belongs to a different source (OKTA) — when a user requests specific access profiles from ABC.
Trigger Condition
The workflow should assign AP11 (AD access profile) only when the user requests any of the following ABC access profiles:
AP1
AP5
AP10
If the use requests all those three listed access profiles, the access should be assigned once any one of the access profiles is found. Doesn’t need to check for others.
Assignment Conditions
The assignment of AP11 should occur only after:
The access request approval is completed successfully.
The associated Service Desk request (if applicable) is not rejected.
To ensure these conditions are met, I’m considering using the Provisioning Completed trigger.
Additional Constraints
The workflow should also satisfy the following:
Trigger scope
The workflow should execute only when ABC is part of the provisioning task, and not for unrelated applications/sources.
Idempotency / Duplicate prevention
The workflow should not run or re-assign AP11 if:
The user already has AP11.
The user explicitly requested AP11 as part of the same access request.
I need your opinions to build this workflow. Thanks in Advance!
I’m currently stuck on identifying whether specific access profiles are part of a provisioning event.
I need to detect whether access profiles AP1, AP5, or AP10 from source ABC are included in the provisioning task.
For this, I’m planning to use the Verify Data Type operator with the Exists condition on the trigger payload.
I’m considering the following JSONPath expression:
Have you tried setting this up using a role? Since AP1, AP5, AP10, and AP11 all contain entitlements, you can create a role that includes AP11 as the access profile. Then configure assignment criteria for role such that the role is assigned when a user has an entitlement from the ABC source equal to AP1, AP5, or AP10—along with any additional conditions needed for safety.
This way, once a user request any of the ABC source access profiles (AP1/AP5/AP10) and the provisioning completes successfully after approvals, the role will automatically get assigned as its assignment criteria matches the user and will, in turn, grant AP11.
@GOKUL_ANANTH_M - In connected sources, entitlement assignment gets immediately reflected in SailPoint and target as soon as provisioning gets completed. There’s no need to wait for aggregation
In my understanding on your post, I would use another dynamic role to assign the AP11 to the identities with the OR role criteria group for AP1, AP5 and AP10 related entitlements have existed in the account and enable the access request approval flow in the role by adding Service desk potentially a Governance Group.
Condition 1 (Assign AP11 only when the AP1, AP5 and AP10): The dynamic role criteria will ensure above entitlements are already assigned.
Assignment Condition: It is handled via the Role’s access request approval flow.
It’s actually a delimited file connector, so we couldn’t create it via the role - as per the requirement. We shouldn’t wait for the aggregation to happen. Hence, we thought of using workflow.
The flow has been completed using the Provisioning completed trigger. I have used the defineVariable operator, verifyDataType operator, and HTTP Request actions to complete the trigger.
