Workflow: JSON path for loop input

Use Case:
Upon termination, remove All access (entitlements) for a specific Source.

I have implemented a workflow utilising HTTP request to Search the identity object, then loop through entitlements with the following input:

$.hTTPRequest.body.*.access[?(@.type == "ENTITLEMENT" && @.source.id == "12345")].id

Problem Statement: if an identity has MORE than 100 entitlements for the source, the loop operation throws an error.

Proposed Solution:
Limit the input to the loop to 99 Entitlement records, and have multiple loops to process 1-99, 100-199 etc.

Issue Experienced:
I cannot seem to limit the entitlements as the loop input from the HTTP response body with the below JSON path, have tried multiple combinations:

$.access[1:99][?(@.type == "ENTITLEMENT" && @.source.id == "12345")].id

In Workflow:

$.hTTPRequest.body.*.access[1:99][?(@.type == "ENTITLEMENT" && @.source.id == "12345")].id
$.hTTPRequest.body[0].access[1:99][?(@.type == "ENTITLEMENT" && @.source.id == "12345")]

Is there a potential formatting error that I may have missed, or any other advice would be appreciated

Hi,
A different approach with workflow would be to trigger the workflow on the termination lifecyclestate and get the target identity, create a certification of all access, auto revoke and close the certification.

I could share a workflow if this is a solution you would be happy to follow.

Hope this helps

thanks, yeah sure that would be great

Revoke_All_Access.json (13.8 KB)

Try it out you will need a clientID and Secret for accessing the API
Edit the workflow and substitute your tenant details
Edit the trigger to use your target lifecycle state etc before uploading

It does remove all access, may need a tweak to target one source if that is required

Hope this works for you, its one I am using :slight_smile:

1 Like

Hi @bilal
Did this help you at all?

Hi Anthony,
Thanks for sharing, it did indeed.
Although we ended up going in a different way.
Get Identity →
Get Accounts →
Get Entitlements 1 [https://ABC.identitynow.com/v2024/accounts/{{$.getAccounts.accounts[?(@.sourceName==‘Active Directory’)].id}}/entitlements] → [limit to 99]
Get Entitlements 2 [https://ABC.identitynow.com/v2024/accounts/{{$.getAccounts.accounts[?(@.sourceName==‘Active Directory’)].id}}/entitlements] → [limit to 99, offset 100]
→ then two Loops with input from each of the two Get Entitlement HTTP request nodes above.

Thanks for your suggestion, really insightful and appreciated

1 Like

no problem, glad it helped :slight_smile:

1 Like