Workflow - Create Search Campaign for more than one Access Profiles

Good day,

This topic covers how to create a search campaign only for one access profile.

But, I want to create a search campaign for more than one access profiles.

As shown in the attached screenshot, I created a workflow using the steps below but without any luck as it throws an error message.

1: When Identity attributes changed
2: HTTP Request - makes API call to search endpoint to return ids/names of the access profiles of an identity
3: HTTP Request 1 - makes API call to create a search campaign based on the above input
4: End workflow

The first HTTP request body has below JSON to return their access profiles. It works fine.

{
    "indices": [
        "identities"
            ],
    "query": {        
    "query": "id:IdoftheIdentity",
    "innerHit": {
            "query": "type:ACCESS_PROFILE AND requestable:false",
            "type": "access"
        }
        
    },    
    "includeNested": true,
    "queryResultFilter": {
        "includes": [
            "id",
            "displayName"           
            
        ]
    }
}

The second HTTP request body has below JSON to create a search campaign

{
    "name":"TEST Campaign",
    "description": "Search Campaign",
    "type": "SEARCH",
    "searchCampaignInfo": {
        "type": "ACCESS",
        "reviewer": {
            "id": "IdoftheReviewer",
            "type": "IDENTITY"
        },
        "query": "id:{{$.hTTPRequest.body[*].id}}",
        "identityIds": [
            "IdoftheIdentitytoCertify"
        ]
    }
}

If use the query object as "query": "id:{{$.hTTPRequest.body[0].id}}" then it creates campaign only for the first access profile and ignores the rest.

Can you please advise how should I amend the above JSON to create a search campaign for more than one access profiles?

Thanks

I managed to make this working by using one HTTP request action in the workflow that includes all (access profiles of the user and then creating a search campaign based on this specific access). Below is the JSON for this

{
    "name":"TEST Campaign",
    "description": "Search Campaign",
    "type": "SEARCH",
    "emailNotificationEnabled": true,
    "searchCampaignInfo": {
        "type": "ACCESS",
        "reviewer": {
            "id":"IdoftheReviewer",
            "type": "IDENTITY"
        },
        "query": "Search Campaign query description",
    "identityIds": [
      "IdoftheIdentitytoCertify"
    ],
    "accessConstraints": [
      {
        "type": "ACCESS_PROFILE",
        "operator":"ALL"
        
      }
    ]
    }
    }

Does anyone know how to amend this JSON to include both ACCESS_PROFILE and ROLE for the identity to certify?

Thanks

Thanks

I made the JSON working and now it includes both ACCESS_PROFILE and ROLE of the identity to be certified.

Thanks

Hey! Could you share a snippet of the working JSON for the campaign generation? Are you able to generate a search campaign including both roles and access profiles?

Hi @Swegmann

This JSON seems to have worked for me as it includes both roles and access profiles. I’ve tested this a few times.

{
    "name": "Mover Campaign",
    "description": "Search Campaign",
    "type": "SEARCH",
    "emailNotificationEnabled": true,
    "searchCampaignInfo": {
        "type": "ACCESS",
        "reviewer": {
            "id":"Id_of_the_Reviewer",
            "type": "IDENTITY"
        },
        "query": "Search Campaign query description",
    "identityIds": [
      "Id_of_the_Identity"
    ],
    "accessConstraints": [
      {
       "type": "ROLE",
       "operator": "ALL"
      },
        {
        "type": "ACCESS_PROFILE",
        "operator": "ALL"
        }       
    ]
    }
    }

OR

{
    "name": "Test Campaign",
    "description": "Search Campaign",
    "type": "SEARCH",
    "emailNotificationEnabled": true,
    "searchCampaignInfo": {
        "type": "ACCESS",
        "reviewer": {
            "id": "{{$.getIdentity.managerRef.id}}",
            "type": "IDENTITY"
        },
        "query": "Search Campaign query description",
    "identityIds": [
      "{{$.trigger.identity.id}}"
    ],
    "accessConstraints": [
      {
       "type": "ROLE",
       "operator": "ALL"
      },
        {
        "type": "ACCESS_PROFILE",
        "operator": "ALL"
        }       
    ]
    }
    }
1 Like

Thanks Hassan,

I tried this JSON and works perfectly for both roles and APs:

{
    "autoRevokeAllowed": true,
    "description": "Test Cert",
    "emailNotificationEnabled": true,
    "name": "Certification: {{$.loop.loopInput.displayName}}",
    "deadline": "{{$.loop.context.calculationResult.dateTime}}Z",
    "recommendationsEnabled": true,
    "mandatoryCommentRequirement": "REVOKE_ONLY_DECISIONS",
    "searchCampaignInfo": {
        "query": "owner.id:{{$.loop.loopInput.id}}",
        "reviewer": {
            "id": "{{$.loop.loopInput.id}}",
            "type": "IDENTITY"
        },
        "type": "ACCESS"
    },
    "type": "SEARCH"
}

So I’m not even using the “accessConstraints” node and it seems to be working anyway!

Thanks for the help.

1 Like

If your JSON also works for both roles and APs, then that’s great. I guess it doesn’t include entitlements.

Thanks

I haven’t tried entitlements but I think they should be included as well as I’m not filtering on any specific access.

I take it you do want to exclude entitlements then in your payload?

Yes! I am filtering on specific access i.e include roles and APs but NOT entitlements.

1 Like

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.