Workflow - how to detect Access Profile added to identity via role

Identity Security Cloud (ISC) ISC Discussion and Questions
,
1

Hello,

I am struggling to find a workflow trigger that can email off of a specific event. We have an Access Profile that has 2 different entitlements in it. We place this access profile on multiple different roles to be applied when someone is in an active lifecycle state as it is a necessary tool of their job. What we need is an email that goes out to a team when this access profile is provisioned to a user automatically via role Define Assignment. The source is an Active Directory source if that helps.

What I have tried:
Creating a workflow off an Access Request Decision trigger, this only seems to work when Access Profiles are applied via request and not as part of a role.

Creating a workflow off a Native Change Account Updated, but this doesn’t seem to pick up the Entitlements being added to the account on the source. I think this might be the best option but I’m not sure how I can see the JSON data of a Native Change Account Update to better target the event.

Thank you!

2

Have a triggered attribute in ISC that is named “trigger”.

Have a static transform and use Velocity logic to check if the user has either of the two entitlements, if so check to see if the IDN attribute has a value of “E1”. If it doesn’t, set it to E1. If it doesn’t have the entitlements, set it to a value such as “False”. Initial change would generate a lot of changes, so make sure you apply the transform prior to implementing the workflow so that the workflow is only seeing current changes.

Have the workflow look to see if the attribute is being changed to E1. If so you know it is a recent change and send the email.

Create reports that find users with a value of E1 and another if it is false. You should be able to have emails sent when the value is set to E1 as well as reports of who has an E1 and who have a value of false.

Below is an example to see if someone is a member of a group.

"input": {
            "type": "firstValid",
            "attributes": {
                "values": [
                    {
                        "attributes": {
                            "accountPropertyFilter": "(memberOf.contains(\"Group1\"))",
                            "attributeName": "sAMAccountName",
                            "sourceName": "Active Directory-Dev"
                        },
                        "type": "accountAttribute"
                    },
                    "FALSE"
                ]
            }
        },
        "table": {
            "FALSE": "false",
            "default": "true"
        }

You could use the triggered attribute for other event changes as well, rather than having multiple triggered attributes for other scenarios. But the complexity grows quickly with different types of triggers on a given attribute.

3

You can use “Provisioning Completed” trigger and apply a filter to detect if the entitlements were included in the attributeRequests array of the json input.

4

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.