I created a workflow that revokes the following two items of the leaver i.e when their account status becomes inactive;
All requestable roles
All access profiles except those from a specific source
Below are the steps.
Trigger - Identity Attributes Changed (inactive)
HTTP Request - make API call to IDN to get the triggered identity access (access profiles, roles and entitlements)
Loop Operator - remove all access profiles except those from a specific source and all requestable roles
Inside the loop, HTTP request to remove access profiles and requestable roles based on the loop input.
I tried the following filters in the loop input but none of them works fine for the desired result (i.e revokes all access profiles except the ones from a specific source, plus revokes all requestable roles).
$.hTTPRequest.body[0].access[?(@.type == "ACCESS_PROFILE" && @.source.name != "Jira Test") && (@.type == "ROLE")] - It does revoke all access profiles except from the stated specific source, BUT it doesnât attempt to remove requestable roles.
$.hTTPRequest.body[0].access[?(@.type == "ACCESS_PROFILE" && @.source.name != "Jira Test") || (@.type == "ROLE")] - Same as above
$.hTTPRequest.body[0].access[?(@.type == "ACCESS_PROFILE" || @.type == "ROLE" && @.source.name != "Jira Test")] - It revokes all access profiles (but it ignores that specific source), and also it doesnât attempt to revoke requestable roles
$.hTTPRequest.body[0].access[?(@.type == "ACCESS_PROFILE" || @.type == "ROLE") && (@.source.name != "Jira Test")] - It revokes all access profiles (but it ignores that specific source), and revokes requestable roles
I tried using two loops i.e one for revoking all access profiles except those from a specific source, and the second one for revoking requestable roles, but this workflow doesnât seem to be working i.e keep executing but doesnât show any result / output.
Any help with the above loop input filter would be appreciated.
Modify this to (note an extra parenthesis around everything after ?) and try $.hTTPRequest.body[0].access[?((@.type == "ACCESS_PROFILE" && @.source.name != "Jira Test") || (@.type == "ROLE"))]
Thanks very much for the prompt responses. Really appreciated!
Yes, by adding extra parenthesis in the filter, it gave me the desired result
@baoussounda I can use your suggested method but âManage Accessâ action would throw an error message if it finds a dynamic role (i.e dynamic role canât be revoked via workflow) and unfortunately, we donât have any naming convention in place for both dynamic and requestable roles to distinguish them.
good for your filter work
I see what you want to say.
We implemented the same thinks using manage operators and adding in our dynamic roles criteria a lifecycle state condition.
For example a lifecycle state change to inactive, all dynamics roles are revoked and revoke access workflow start. In this worfklow we wait 3 to 5 min and start access revoking. In this waiting all dynamics roles are revoked. But this waiting is supposition.
Sorry, I was excited a bit earlier after looking at output of each workflow action.
Although, it shows the correct output when the workflow runs i.e it returns the desired results as expected but actually itâs not attempting to perform the desired actions i.e doesnât attempt to revoke roles and access profiles after checking the user account activity and my requests in the request centre.
Please see the attached screenshot and the Workflow JSON.
Not sure, why it doesnât attempt to perform the desired actions although the workflow runs successfully and shows the desired output of each action.
The workflow works fine as expected. It was an issue with the test users already have pending requests. I had to run it against some other test users and all seems to be working fine as expected.
