Workflow Grant access based on mutilple condition

Identity Security Cloud (ISC) ISC Discussion and Questions
,
1

Hi

We have built the below workflow to grant access profiles like the below condition matches.

1st condition: if the access profile name and title match, grant access profile-

Example - access profile start with CC Base and identity attribute title Executive grant access profile CC Base Executive

2nd condition - if the access profile name and jobCategoryDesc and departmentName match, grant access profile-

Example - access profile stats with CC Base and identity attribute jobCategoryDesc Program Coordinator and departmentName IT grant access profile CC Base Program Coordinator IT

3rd condition - if the access profile name and jobCategoryDesc and DeptType and loccodedecs matches, grant access profile-

Likewise, we have seven conditions. I have built the below workflow, but it is not working as expected for some reason.

Any better suggestion?

{
	"name": "Multiple  Access Profile Grant Access",
	"description": "Multiple  Access Profile Grant EPIC Access",
	"modified": "2024-08-22T03:57:50.04916704Z",
	"modifiedBy": {
		"type": "IDENTITY",
		"id": "3b8c0332ff9d09a81f",
		"name": "PKumar"
	},
	"definition": {
		"start": "Compare Strings",
		"steps": {
			"Compare Strings": {
				"choiceList": [
					{
						"comparator": "StringEquals",
						"nextStep": "Get Access",
						"variableA.$": "$.trigger.attributes.ADAccountExist",
						"variableB": "YES"
					}
				],
				"defaultStep": "End Step - Failure 1",
				"displayName": "",
				"type": "choice"
			},
			"End Step - Failure": {
				"displayName": "",
				"failureName": "Both access profile are null",
				"type": "failure"
			},
			"End Step - Failure 1": {
				"displayName": "",
				"type": "failure"
			},
			"End Step - Success": {
				"displayName": "",
				"type": "success"
			},
			"Get Access": {
				"actionId": "sp:access:get",
				"attributes": {
					"accessprofiles": true,
					"entitlements": false,
					"getAccessBy": "searchQuery",
					"query": "name.exact:\"CC Base {{$.trigger.attributes.title}}\"",
					"roles": false
				},
				"displayName": "",
				"nextStep": "Verify Data Type",
				"type": "action",
				"versionNumber": 1
			},
			"Get Access 1": {
				"actionId": "sp:access:get",
				"attributes": {
					"accessprofiles": true,
					"entitlements": false,
					"getAccessBy": "searchQuery",
					"identityToReturn.$": "$.trigger.attributes.jobCategoryDesc",
					"query": "name.exact:\"CC Base {{$.trigger.attributes.jobCategoryDesc}} {{$.trigger.attributes.departmentName}}\"",
					"roles": false
				},
				"description": null,
				"displayName": "",
				"nextStep": "Verify Data Type 2",
				"type": "action",
				"versionNumber": 1
			},
			"Get Access 2": {
				"actionId": "sp:access:get",
				"attributes": {
					"accessprofiles": true,
					"entitlements": false,
					"getAccessBy": "searchQuery",
					"identityToReturn.$": "$.trigger.attributes.jobCategoryDesc",
					"query": "name.exact:\"CC Base {{$.trigger.attributes.jobCategoryDesc}} {{$.trigger.attributes.departtype}}\"",
					"roles": false
				},
				"description": null,
				"displayName": "",
				"nextStep": "Verify Data Type 1",
				"type": "action",
				"versionNumber": 1
			},
			"Get Access 3": {
				"actionId": "sp:access:get",
				"attributes": {
					"accessprofiles": true,
					"entitlements": false,
					"getAccessBy": "searchQuery",
					"identityToReturn.$": "$.trigger.attributes.jobCategoryDesc",
					"query": "name.exact:\"CC Base {{$.trigger.attributes.jobCategoryDesc}} {{$.trigger.attributes.DeptType}} {{$.trigger.attributes.loccodedecs}}\"",
					"roles": false
				},
				"description": null,
				"displayName": "",
				"nextStep": "Verify Data Type 3",
				"type": "action",
				"versionNumber": 1
			},
			"Manage Access": {
				"actionId": "sp:access:manage",
				"attributes": {
					"addIdentities.$": "$.trigger.identity.id",
					"comments": "This identity has access profile of given title",
					"requestType": "GRANT_ACCESS",
					"requestedItems.$": "$.getAccess.accessItems"
				},
				"displayName": "",
				"nextStep": "Get Access 1",
				"type": "action",
				"versionNumber": 1
			},
			"Manage Access 1": {
				"actionId": "sp:access:manage",
				"attributes": {
					"addIdentities.$": "$.trigger.identity.id",
					"comments": "Jobcategory description ap is present",
					"requestType": "GRANT_ACCESS",
					"requestedItems.$": "$.getAccess1.accessItems"
				},
				"displayName": "",
				"nextStep": "Get Access 2",
				"type": "action",
				"versionNumber": 1
			},
			"Manage Access 2": {
				"actionId": "sp:access:manage",
				"attributes": {
					"addIdentities.$": "$.trigger.identity.id",
					"comments": "Jobcategory description ap is present",
					"requestType": "GRANT_ACCESS",
					"requestedItems.$": "$.getAccess1.accessItems"
				},
				"displayName": "",
				"nextStep": "Get Access 3",
				"type": "action",
				"versionNumber": 1
			},
			"Manage Access 3": {
				"actionId": "sp:access:manage",
				"attributes": {
					"addIdentities.$": "$.trigger.identity.id",
					"comments": "Jobcategory description ap is present",
					"requestType": "GRANT_ACCESS",
					"requestedItems.$": "$.getAccess1.accessItems"
				},
				"displayName": "",
				"nextStep": "End Step - Success",
				"type": "action",
				"versionNumber": 1
			},
			"Verify Data Type": {
				"choiceList": [
					{
						"comparator": "IsPresent",
						"nextStep": "Manage Access",
						"variableA.$": "$.getAccess.accessItems"
					}
				],
				"defaultStep": "Get Access 1",
				"displayName": "",
				"type": "choice"
			},
			"Verify Data Type 1": {
				"choiceList": [
					{
						"comparator": "IsPresent",
						"nextStep": "Manage Access 2",
						"variableA.$": "$.getAccess1.accessItems"
					}
				],
				"defaultStep": "Get Access 3",
				"displayName": "",
				"type": "choice"
			},
			"Verify Data Type 2": {
				"choiceList": [
					{
						"comparator": "IsPresent",
						"nextStep": "Manage Access 1",
						"variableA.$": "$.getAccess1.accessItems"
					}
				],
				"defaultStep": "Get Access 2",
				"displayName": "",
				"type": "choice"
			},
			"Verify Data Type 3": {
				"choiceList": [
					{
						"comparator": "IsPresent",
						"nextStep": "Manage Access 3",
						"variableA.$": "$.getAccess1.accessItems"
					}
				],
				"defaultStep": "End Step - Failure",
				"displayName": "",
				"type": "choice"
			}
		}
	},
	"creator": {
		"type": "IDENTITY",
		"id": "3b8a810f47aa54dac0",
		"name": "PKumar"
	},
	"trigger": {
		"type": "EVENT",
		"attributes": {
			"id": "idn:identity-created"
		}
	}
}
2

Perhaps superobvius but i guess there’s a reason you’re doing this trough workflows?

2 Likes
3

Hi Prasantha,

You mentioned that its not working as expected, does this mean that the workflow ends with an error ? or the workflow is working as expected but access profiles are not granted?

Thanks,
Shailee

4

Hi,

As mentioned above, Is there any particular reason this is being done via workflows ? Would this be better done putting the access profile within a role & setting up the define assignment within the role itself to accomplish the same task.

Or does this workflow do anything additional on top of the provisioning?

Thanks,
Liam.

1 Like
5
  1. All that will be assigned through this workflow should not be removed from the user once assigned.
  2. Access will be removed if we assign it as part of the birthright role once the user title or department changes.
6

Hi @pkumar22.

Here are my few observations:

  1. Is the attribute “ADAccountExist” checking for the existence of an AD account.? If so, it may not work as the trigger is initiated as soon as the Identity is created. If the WF is always taking the False path initially, that could be the reason. In that case, you may want to add a delay and then use the Get Account Action or Get Accounts API call to verify if the AD account exists.

  2. In your Manage Access 2,3 and 4 steps, you are using the $.getAccess1.accessItems instead of
    $.getAccess2.accessItems, $.getAccess3.accessItems etc.

If you can detail the exact issues you are facing with the WF, that would be helpful.

An approach to use the Role instead of the WF - Add an extra step in your Role membership criteria with an OR condition which contains all the entitlements in your Access profile. That way, even if the Identity attribute changes, since the user already holds the entitlements, the role won’t be revoked for the user.

4 Likes
7

the above workflow we changed the trigger from identity-created to AD provisioning completed once AD is completed trigger the workflow and check the AD account exist Yes and grant access profile to JDBC application.

We have extension attribute 12 and we are populating after AD create using PowerShell and extension attribute 12 is mapped to JDBC application create profile userid attribute.

The workflow triggers and granting the access profile to user, but delay populating extension attribute 12 in identity attribute the userid attribute is not populating value.

we have increased wait time 5 minutes, still it is missing the extension attribute 12 populating in create profile userid attribute value.

any idea?

8

Hi @pkumar22,

If you are updating the ext12 with an afterCreate script, the value will probably be populated in IDN only after the next aggregation.

You would need to to do a single account aggregation step before proceeding with your next step in your workflow.

9

now we are getting Two issue in the workflow.

In our workflow query, we used the following: “query”: “name.exact:"CC Base {{$.trigger.attributes.title}}"”, to assign the Access Profile. During testing, I assigned the title Charge Nurse to a user, and they were assigned the Charge Nurse access profile as well as any other access profiles that contain the word “Nurse”.

I tried query “query”: “name.exact:"CC Base {{$.trigger.attributes.title.exact}}"” but it didnot worked.

image
image808Ă—730 15.8 KB

10

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.