Workflow in SailPoint IDN stopped revoking access for deactivated accounts, except roles – Anyone else experiencing this issue?

Identity Security Cloud (ISC) ISC Discussion and Questions
,
1

I configured a workflow in SailPoint IdentityNow to revoke all access except roles for deactivated accounts. Until yesterday, everything was working perfectly. However, starting today, the workflow stopped mapping accounts as expected, as shown in the attached images.

I’ve double-checked the configurations, and everything seems correct. Is anyone else facing this issue?

image
image1156×605 40 KB

image
image1220×485 25.1 KB

image
image1580×583 43 KB

step input

{ "context": "be9a1bc2c42546f5b926d0b8a6919ab4", "input": [ { "id": "b253b7c4d90b465c909adac07618abc0", "name": "GR_ZABBIX_USER_HML", "type": "ENTITLEMENT" }, { "id": "b725f34452e5468697c8b2dfb2a60d5e", "name": "GR_ZABBIX_ADM_HML", "type": "ENTITLEMENT" } ], "start": "HTTP Request", "steps": { "End Step - Success": { "displayName": "", "type": "success" }, "HTTP Request": { "actionId": "sp:http", "attributes": { "authenticationType": "OAuth", "jsonPatchRequestBody": { "requestType": "REVOKE_ACCESS", "requestedFor": [ "" ], "requestedItems": [ { "comment": "Usuario Desligado", "id": "", "name": "", "type": "ENTITLEMENT" } ] }, "jsonRequestBody": { "requestType": "REVOKE_ACCESS", "requestedFor": [ "" ], "requestedItems": [ { "comment": "Usuario Desligado", "id": "", "name": "", "type": "ENTITLEMENT" } ] }, "method": "post", "oAuthClientId": "b5c4dd850fbb49999ae804111ec87bd7", "oAuthClientSecret": "$.secrets.0f6cfb92-6417-44dd-8596-e6ec3d0eb7ff", "oAuthCredentialLocation": "oAuthInHeader", "oAuthScope": null, "oAuthTokenUrl": "https://credsystem-sb.api.identitynow.com/oauth/token", "requestContentType": "json", "requestHeaders": null, "url": "https://credsystem-sb.api.identitynow.com/v3/access-requests" }, "description": null, "displayName": "HTTP Remove Acesso", "nextStep": "End Step - Success", "type": "action", "versionNumber": 2 } }, "suppliedInlineExpression": { "steps": "{\"End Step - Success\":{\"displayName\":\"\",\"type\":\"success\"},\"HTTP Request\":{\"actionId\":\"sp:http\",\"attributes\":{\"authenticationType\":\"OAuth\",\"jsonPatchRequestBody\":{\"requestType\":\"REVOKE_ACCESS\",\"requestedFor\":[\"{{$.loop.context}}\"],\"requestedItems\":[{\"comment\":\"Usuario Desligado\",\"id\":\"{{$.loop.loopInput.id}}\",\"name\":\"{{$.loop.loopInput.name}}\",\"type\":\"ENTITLEMENT\"}]},\"jsonRequestBody\":{\"requestType\":\"REVOKE_ACCESS\",\"requestedFor\":[\"{{$.loop.context}}\"],\"requestedItems\":[{\"comment\":\"Usuario Desligado\",\"id\":\"{{$.loop.loopInput.id}}\",\"name\":\"{{$.loop.loopInput.name}}\",\"type\":\"ENTITLEMENT\"}]},\"method\":\"post\",\"oAuthClientId\":\"b5c4dd850fbb49999ae804111ec87bd7\",\"oAuthClientSecret\":\"$.secrets.0f6cfb92-6417-44dd-8596-e6ec3d0eb7ff\",\"oAuthCredentialLocation\":\"oAuthInHeader\",\"oAuthScope\":null,\"oAuthTokenUrl\":\"https://credsystem-sb.api.identitynow.com/oauth/token\",\"requestContentType\":\"json\",\"requestHeaders\":null,\"url\":\"https://credsystem-sb.api.identitynow.com/v3/access-requests\"},\"description\":null,\"displayName\":\"HTTP Remove Acesso\",\"nextStep\":\"End Step - Success\",\"type\":\"action\",\"versionNumber\":2}}" } }

step output

{
“loopOutput”: {
“failureItems”: [
{
“errorMessage”: “unexpected end of JSON input”,
“payload”: null
},
{
“errorMessage”: “unexpected end of JSON input”,
“payload”: null
}
],
“successfulItems”: null
}
}

request body

{“requestType”:“REVOKE_ACCESS”,“requestedFor”:[“{{$.loop.context}}”],“requestedItems”:[{“comment”:“Usuario Desligado”,“id”:“{{$.loop.loopInput.id}}”,“name”:“{{$.loop.loopInput.name}}”,“type”:“ENTITLEMENT”}]}

1 Like
2

Hey @clebercarvalhoRaise : I am getting this same “unexpected end of JSON input” error in a workflow that was previously working. I have spent 5+ hours debugging and cannot understand what the issue is. My guess is that SailPoint recently pushed a Workflow update and didn’t validate fully but my guess is as good as yours.

For reference, I opened a similar post here: Unable to use loop input or loop context in loop steps - Identity Security Cloud (ISC) / ISC Discussion and Questions - SailPoint Developer Community

I think the bug lies exclusively with passing loop input and loop context variables to inner loop HTTP operations, as I am still able to call Get Identity inside the loop, for example.

3

From looking into this, it appears that a recent update to inline variable rendering caused this issue and was rolled back in PROD a few hours ago.

@clebercarvalhoRaise and @dominick-miller please retest and let us know if the issue is not resolved.

4

Hey @christina_gagnon ! Thanks for the input here. I just retested in sandbox and the behavior is different but not fixed. I am still seeing “unexpected end of JSON input” but instead of my variables resolving to empty strings they are now not resolving at all, e.g. {{$.loop.context.id}} and {{$.loop.loopInput.id}} are getting input as plaintext in my inner loop HTTP requests.

As a side note: can we have this posted to status.sailpoint.com? It seems disingenuous to not call out a major piece of missing functionality.

5

@dominick-miller thank you for the update. Sorry to hear it is not resolved for you. I will relay this to the workflows team and inquire why it is not posted to status.sailpoint.com.

1 Like
6

Thank you. Please let me know what the ETA is for this fix or if the workflows team believes they have applied the fix already. I’m happy to help debug if needed.

7

Hello,

Was any rollback performed? I simply started the Workflow (WF) and proceeded to revoke the accesses.

Looking forward to your response.

8

@dominick-miller I will update you as I hear more from the team about the issue you are seeing now.

@clebercarvalhoRaise Yes, a rollback was performed yesterday and should have fixed the issue. Is the workflow now working as expected for you?

9

Great, thank you @christina_gagnon. I appreciate the communications here. I am happy to hop on a 30 min call to demo the workflow or any other way I can assist.

I still do not see anything mentioned of this on status.sailpoint.com and this has not been the first time my team has uncovered a bug with no coverage on the status and I question the use/scope of what gets reported on the status page at all.

10

@dominick-miller I see that a support engineer who has good insight into this issue has responded to you on the support ticket. He’ll be the best resource for you moving forward.

I am continuing to inquire about what issues are reported at status.sailpoint.com.

11

I am also getting same issues. anyone able to identify the fix.

12

Hey Vijay,

My issue was having two Loop operators in one workflow. This led to one of my Loops being completely corrupt and I learned SailPoint recommends against doing this. To fix this, I split my workflow into two workflows and kept one Loop in each.

1 Like