Workflow Manage Access - "task failed: activity error (type: sp:access:manage, scheduledEventID: 34, startedEventID: 35, identity: 1@sp-workflow-worker-internal-596fc65d79-hdqkt@sp-workflow-engine): request failed (type: Bad Request, retryable: false): 40

ChandrakalaS · August 13, 2025, 12:18pm

I am trying to assign an entitlement through a workflow and i keep getting this error: request failed: 400 - 400 Bad Request: (type: HTTP Response Returned a Client Error, retryable: false): request failed: 400 - 400 Bad Request.

I have the following steps in my workflow:
Get access by search query: here I specified the id of the entitlement by search query.
The next step is Manage Access - Add access. In the Access to Manage, I added this: $.getAccess.accessItems from previous step Get Access.

I tested the workflow and in the output of Get Access i retrieve the correct data (only one entitlement).

But on the next step, Mange Access - add access, it is failing with this error: request failed: 400 - 400 Bad Request: (type: HTTP Response Returned a Client Error, retryable: false): request failed: 400 - 400 Bad Request

I have ensured the Access items are marked as Requestable. still getting the error. How to fix this

Manage Access configuration is as follows:

LEOS · August 13, 2025, 1:33pm

Hello @ChandrakalaS ,

Did you activate the Entitlement Management inside System Settings ?

If yes, could you send me your workflow please ?

dineshdupati · August 13, 2025, 1:35pm

Hi @ChandrakalaS ,

Can you please try the below approach, since the Get Access returning one entitlement right.

Refer this document for details on Manage Access Action:

Access to Manage: [{“id”:“{{$.getAccess.accessItems[0].id}}”,“name”:“{{$.getAccess.accessItems[0].name}}”,“type”:“{{$.getAccess.accessItems[0].type}}”}]

I hope this helps.

Thanks!

ChandrakalaS · August 14, 2025, 4:18am

. Yes I have enabled Enable Entitlement Requests and set it to No Approval required.

This is the Workflow

{
	"name": "A Mover Workflow with Addition of Access and Recertification of Access",
	"description": "This workflow is triggered when an identity changes departments. The workflow retrieves the access associated with their new role and grants that access to the identity. It also starts a certification campaign to ensure that the access no longer relevant to them is removed.",
	"modified": "2025-08-13T11:59:32.621257063Z",
	"modifiedBy": {
		"type": "IDENTITY",
		"id": "c30ba824e347470786996258288b87c6",
		"name": "chandrakalaStimul9"
	},
	"definition": {
		"start": "Wait",
		"steps": {
			"Compare Strings": {
				"actionId": "sp:compare-strings",
				"choiceList": [
					{
						"comparator": "StringEquals",
						"nextStep": "Get Identity",
						"variableA.$": "$.trigger.changes[?(@.attribute=='department')].newValue",
						"variableB": "Engineering"
					}
				],
				"defaultStep": "success",
				"description": "Determines whether the identity's department attribute was updated to Sales. If so, the workflow proceeds. Otherwise, the workflow ends.\n\nNOTE: This template makes an assumption in later actions/nodes about the identity's former department. You could use an additional operator with branching steps for different departments for more flexibility.",
				"type": "choice"
			},
			"Create Certification Campaign": {
				"actionId": "sp:create-campaign",
				"attributes": {
					"description": "Department Change",
					"duration": "1w",
					"emailNotificationEnabled": true,
					"identityId.$": "$.trigger.identity.id",
					"name.$": "$.trigger.identity.name",
					"reviewerId.$": "$.getIdentity.managerRef.id"
				},
				"description": "Creates a certification campaign so that the identity's new manager can review their access, to ensure they have the access they need and don't have access they don't need.",
				"nextStep": "success",
				"type": "action",
				"versionNumber": 1
			},
			"Get Access": {
				"actionId": "sp:access:get",
				"attributes": {
					"accessprofiles": false,
					"entitlements": true,
					"getAccessBy": "searchQuery",
					"query": "name.exact:(\"All Employees\" OR \"Engineering\")",
					"roles": true
				},
				"description": "Gets all Groups with specified name in their name.\n\nIn this example, the identity needs to retain this access despite their department move. If the access gets removed because they no longer meet the role criteria, it must be put back by this workflow. This step retrieves the access for the Manage Access step to add.",
				"nextStep": "Manage Access",
				"type": "action",
				"versionNumber": 1
			},
			"Get Identity": {
				"actionId": "sp:get-identity",
				"attributes": {
					"id.$": "$.trigger.identity.id"
				},
				"description": "Retrieves available details about the identity.",
				"nextStep": "Get Access",
				"type": "action",
				"versionNumber": 2
			},
			"Get Identity 1": {
				"actionId": "sp:get-identity",
				"attributes": {
					"id.$": "$.getIdentity.managerRef.id"
				},
				"description": "This node is used to gather information about the user's manager to populate their email in \"Recipient\"",
				"nextStep": "Send Email",
				"type": "action",
				"versionNumber": 2
			},
			"Manage Access": {
				"actionId": "sp:access:manage",
				"attributes": {
					"addIdentities.$": "$.trigger.identity.id",
					"comments": "Automatically requested as transitory access by workflows",
					"removeDuration": "1w",
					"requestType": "GRANT_ACCESS",
					"requestedItems.$": "$.getAccess.accessItems"
				},
				"description": "Adds the access from the Get Access step to the identity.",
				"nextStep": "Get Identity 1",
				"type": "action",
				"versionNumber": 1
			},
			"Send Email": {
				"actionId": "sp:send-email",
				"attributes": {
					"body": "<p>Attention, </p>\n<p>User <strong>${name} </strong>has recently changed department.</p>\n<p><br>Thank you,<br>Your Access Team</p>",
					"context": {
						"name.$": "$.getIdentity.attributes.displayName"
					},
					"recipientEmailList.$": "$.getIdentity1.attributes.email",
					"recipientId.$": "$.getIdentity.managerRef.id",
					"subject": "Department Change"
				},
				"description": "Sends an email to the identity's manager. Configure details about this email below.",
				"nextStep": "Create Certification Campaign",
				"type": "action",
				"versionNumber": 2
			},
			"Wait": {
				"actionId": "sp:sleep",
				"attributes": {
					"duration": "1m",
					"type": "waitFor"
				},
				"description": "Pauses to wait for all other provisioning activities to complete, such as automated role or access profile removals.",
				"nextStep": "Compare Strings",
				"type": "action",
				"versionNumber": 1
			},
			"success": {
				"actionId": "sp:operator-success",
				"description": "Ends the workflow and marks it as a success.",
				"type": "success"
			}
		}
	},
	"creator": {
		"type": "IDENTITY",
		"id": "c30ba824e347470786996258288b87c6",
		"name": "chandrakalaStimul9"
	},
	"trigger": {
		"type": "EVENT",
		"attributes": {
			"filter.$": "$.changes[?(@.attribute == \"department\")]",
			"id": "idn:identity-attributes-changed"
		}
	}
}

ChandrakalaS · August 14, 2025, 6:48am

Hi Dinesh,

The JSON you provided worked. But is assigning only one Entitlement, where as the previous step is getting totally 7 Entitlements. I want all 7 must be assigned to user in different applications. I have multiple assets having Entitlements with same name.

Sending the Workflow execution for your reference. How to fix this issue.

[
  {
    "type": "WorkflowExecutionStarted",
    "timestamp": "2025-08-14T04:28:50.61620152Z",
    "attributes": {
      "input": {
        "_meta": {
          "invocationId": "80a1c5d1-9b9b-4437-a024-dca479749cd9",
          "subscriptionId": "e389ae6b-9c96-4433-938d-39f00c98da67",
          "triggerType": "FIRE_AND_FORGET"
        },
        "changes": [
          {
            "attribute": "department",
            "newValue": "Engineering",
            "oldValue": "HR"
          }
        ],
        "identity": {
          "id": "8fd15f03f8a84ed9886881e3b3ce1394",
          "name": "Allison Harris",
          "type": "IDENTITY"
        }
      }
    }
  },
  {
    "type": "ActivityTaskScheduled",
    "timestamp": "2025-08-14T04:28:50.713740572Z",
    "attributes": {
      "displayName": "Wait",
      "input": {
        "date": null,
        "duration": "1m",
        "time": null,
        "type": "waitFor"
      },
      "stepName": "wait",
      "task": "sp:sleep",
      "technicalName": "Wait"
    }
  },
  {
    "type": "ActivityTaskStarted",
    "timestamp": "2025-08-14T04:28:50.713800256Z",
    "attributes": {
      "attempts": 1,
      "displayName": "Wait",
      "stepName": "wait",
      "task": "sp:sleep",
      "technicalName": "Wait"
    }
  },
  {
    "type": "ActivityTaskCompleted",
    "timestamp": "2025-08-14T04:28:50.72703327Z",
    "attributes": {
      "displayName": "Wait",
      "result": {
        "duration": "1m0s"
      },
      "stepName": "wait",
      "task": "sp:sleep",
      "technicalName": "Wait"
    }
  },
  {
    "type": "TimerStarted",
    "timestamp": "2025-08-14T04:28:50.752992175Z",
    "attributes": {}
  },
  {
    "type": "TimerFired",
    "timestamp": "2025-08-14T04:29:50.754734547Z",
    "attributes": {}
  },
  {
    "type": "ActivityTaskScheduled",
    "timestamp": "2025-08-14T04:29:50.781917423Z",
    "attributes": {
      "displayName": "Compare Strings",
      "input": {
        "compareStrings": {
          "ChoiceList": [
            {
              "Comparator": "StringEquals",
              "NextStep": "Get Identity",
              "VariableA.$": "$.trigger.changes[?(@.attribute=='department')].newValue",
              "VariableB": "Engineering"
            }
          ],
          "DefaultStep": "success",
          "Description": "Determines whether the identity's department attribute was updated to Sales. If so, the workflow proceeds. Otherwise, the workflow ends.\n\nNOTE: This template makes an assumption in later actions/nodes about the identity's former department. You could use an additional operator with branching steps for different departments for more flexibility.",
          "Name": "Compare Strings",
          "SelectInput": "$",
          "SelectOutput": "$",
          "SelectResult": "$",
          "Type": "choice"
        },
        "trigger": {
          "_meta": {
            "invocationId": "80a1c5d1-9b9b-4437-a024-dca479749cd9",
            "subscriptionId": "e389ae6b-9c96-4433-938d-39f00c98da67",
            "triggerType": "FIRE_AND_FORGET"
          },
          "changes": [
            {
              "attribute": "department",
              "newValue": "Engineering",
              "oldValue": "HR"
            }
          ],
          "identity": {
            "id": "8fd15f03f8a84ed9886881e3b3ce1394",
            "name": "Allison Harris",
            "type": "IDENTITY"
          }
        },
        "wait": {
          "duration": "1m0s"
        }
      },
      "stepName": "compareStrings",
      "task": "sp:internal:operator",
      "technicalName": "Compare Strings"
    }
  },
  {
    "type": "ActivityTaskStarted",
    "timestamp": "2025-08-14T04:29:50.781960369Z",
    "attributes": {
      "attempts": 1,
      "displayName": "Compare Strings",
      "stepName": "compareStrings",
      "task": "sp:internal:operator",
      "technicalName": "Compare Strings"
    }
  },
  {
    "type": "ActivityTaskCompleted",
    "timestamp": "2025-08-14T04:29:50.796241283Z",
    "attributes": {
      "displayName": "Compare Strings",
      "result": {
        "next": "Get Identity",
        "output": true
      },
      "stepName": "compareStrings",
      "task": "sp:internal:operator",
      "technicalName": "Compare Strings"
    }
  },
  {
    "type": "ActivityTaskScheduled",
    "timestamp": "2025-08-14T04:29:50.817882293Z",
    "attributes": {
      "displayName": "Get Identity",
      "input": {
        "id": "8fd15f03f8a84ed9886881e3b3ce1394",
        "method": "GET",
        "path": "v3/identities/8fd15f03f8a84ed9886881e3b3ce1394",
        "service": "mice"
      },
      "stepName": "getIdentity",
      "task": "sp:get-identity",
      "technicalName": "Get Identity"
    }
  },
  {
    "type": "ActivityTaskStarted",
    "timestamp": "2025-08-14T04:29:50.817922588Z",
    "attributes": {
      "attempts": 1,
      "displayName": "Get Identity",
      "stepName": "getIdentity",
      "task": "sp:get-identity",
      "technicalName": "Get Identity"
    }
  },
  {
    "type": "ActivityTaskCompleted",
    "timestamp": "2025-08-14T04:29:51.320405727Z",
    "attributes": {
      "displayName": "Get Identity",
      "result": {
        "alias": "Allison Harris",
        "attributes": {
          "cloudAuthoritativeSource": "0f02a24fd1cd4276bc7f614ef0df9f46",
          "cloudLifecycleState": "active",
          "cloudStatus": "UNREGISTERED",
          "department": "Engineering",
          "displayName": "Allison Harris",
          "email": "allison.harris@askiam.ai",
          "employmentType": "Employee",
          "firstname": "Allison",
          "identificationNumber": "Emp1019",
          "identityState": "ACTIVE",
          "internalCloudStatus": "UNREGISTERED",
          "jobTitle": "Recruiter",
          "lastSyncDate": "445ebe840d08f38106435d826ac16c7de3e1a5f99be2e7ac0b823ae3fe7f2c7c",
          "lastname": "Harris",
          "location": "Chicago",
          "managerEmail": "barbara.thomas@askiam.ai",
          "startDate": "12/23/2020 0:0:0 AM UTC",
          "status": "active",
          "uid": "Allison Harris",
          "visibleSegments": [
            "62c905b2-5462-4959-9f63-397ad9413b50"
          ]
        },
        "created": "2025-05-24T05:42:35.352Z",
        "emailAddress": "allison.harris@askiam.ai",
        "id": "8fd15f03f8a84ed9886881e3b3ce1394",
        "identityStatus": "UNREGISTERED",
        "isManager": true,
        "lastRefresh": "2025-08-14T04:29:25.811Z",
        "lifecycleState": {
          "manuallyUpdated": false,
          "stateName": "active"
        },
        "managerRef": {
          "id": "d0b1af2c6b5847fd9ae31db041bf8727",
          "name": "Barbara Thomas",
          "type": "IDENTITY"
        },
        "modified": "2025-08-14T04:29:28.233Z",
        "name": "Allison Harris",
        "processingState": null
      },
      "stepName": "getIdentity",
      "task": "sp:get-identity",
      "technicalName": "Get Identity"
    }
  },
  {
    "type": "ActivityTaskScheduled",
    "timestamp": "2025-08-14T04:29:51.343520392Z",
    "attributes": {
      "displayName": "Get Access",
      "input": {
        "accessprofiles": false,
        "entitlements": true,
        "getAccessBy": "searchQuery",
        "identityToReturn": null,
        "query": "name.exact:(\"All Employees\" OR \"Engineering\")",
        "roles": true
      },
      "stepName": "getAccess",
      "task": "sp:access:get",
      "technicalName": "Get Access"
    }
  },
  {
    "type": "ActivityTaskStarted",
    "timestamp": "2025-08-14T04:29:51.343575226Z",
    "attributes": {
      "attempts": 1,
      "displayName": "Get Access",
      "stepName": "getAccess",
      "task": "sp:access:get",
      "technicalName": "Get Access"
    }
  },
  {
    "type": "ActivityTaskCompleted",
    "timestamp": "2025-08-14T04:29:51.512630243Z",
    "attributes": {
      "displayName": "Get Access",
      "result": [
        {
          "id": "0418e6ea048b336d81833342c179ed11",
          "name": "All Employees",
          "type": "ENTITLEMENT"
        },
        {
          "id": "3012f6674abb3d3bac27060c612f8870",
          "name": "Engineering",
          "type": "ENTITLEMENT"
        },
        {
          "id": "79fd030eda223a7cb7d1d6ac526cdb27",
          "name": "All Employees",
          "type": "ENTITLEMENT"
        },
        {
          "id": "7a9b25fa7db5310ebd008fb7a727624b",
          "name": "Engineering",
          "type": "ENTITLEMENT"
        },
        {
          "id": "a2ae0638956e32b9a697344cc262b968",
          "name": "Engineering",
          "type": "ENTITLEMENT"
        },
        {
          "id": "acc73b42d48233ba9dcc54c9796b1abc",
          "name": "Engineering",
          "type": "ENTITLEMENT"
        },
        {
          "id": "d0122ef565ac30efae6fde5a87332b90",
          "name": "All Employees",
          "type": "ENTITLEMENT"
        },
        {
          "id": "de396e82fb8635b0823b7fadd0b4b1a3",
          "name": "All Employees",
          "type": "ENTITLEMENT"
        },
        {
          "id": "ec35bd9cad343050945b784b0e2373d2",
          "name": "Engineering",
          "type": "ENTITLEMENT"
        },
        {
          "id": "f5aabf8875ff3be9958542d77d014dc2",
          "name": "All Employees",
          "type": "ENTITLEMENT"
        }
      ],
      "stepName": "getAccess",
      "task": "sp:access:get",
      "technicalName": "Get Access"
    }
  },
  {
    "type": "ActivityTaskScheduled",
    "timestamp": "2025-08-14T04:29:51.536423184Z",
    "attributes": {
      "displayName": "Manage Access",
      "input": {
        "addIdentities": "8fd15f03f8a84ed9886881e3b3ce1394",
        "comments": "Automatically requested as transitory access by workflows",
        "removeDuration": "1w",
        "removeIdentity": null,
        "requestType": "GRANT_ACCESS",
        "requestedItems": {
          "id": "0418e6ea048b336d81833342c179ed11",
          "name": "All Employees",
          "type": "ENTITLEMENT"
        },
        "suppliedInlineExpression": {
          "requestedItems": "[{\"id\":\"{{$.getAccess.accessItems[0].id}}\",\"name\":\"{{$.getAccess.accessItems[0].name}}\",\"type\":\"{{$.getAccess.accessItems[0].type}}\"}]"
        }
      },
      "stepName": "manageAccess",
      "task": "sp:access:manage",
      "technicalName": "Manage Access"
    }
  },
  {
    "type": "ActivityTaskStarted",
    "timestamp": "2025-08-14T04:29:51.536460132Z",
    "attributes": {
      "attempts": 1,
      "displayName": "Manage Access",
      "stepName": "manageAccess",
      "task": "sp:access:manage",
      "technicalName": "Manage Access"
    }
  },
  {
    "type": "ActivityTaskCompleted",
    "timestamp": "2025-08-14T04:29:52.019415751Z",
    "attributes": {
      "displayName": "Manage Access",
      "result": {
        "failedAccessRequests": [],
        "successfulAccessRequests": [
          {
            "id": "0418e6ea048b336d81833342c179ed11",
            "name": "All Employees",
            "type": "ENTITLEMENT"
          }
        ]
      },
      "stepName": "manageAccess",
      "task": "sp:access:manage",
      "technicalName": "Manage Access"
    }
  },
  {
    "type": "ActivityTaskScheduled",
    "timestamp": "2025-08-14T04:29:52.042476352Z",
    "attributes": {
      "displayName": "Get Identity 1",
      "input": {
        "id": "d0b1af2c6b5847fd9ae31db041bf8727",
        "method": "GET",
        "path": "v3/identities/d0b1af2c6b5847fd9ae31db041bf8727",
        "service": "mice"
      },
      "stepName": "getIdentity1",
      "task": "sp:get-identity",
      "technicalName": "Get Identity 1"
    }
  },
  {
    "type": "ActivityTaskStarted",
    "timestamp": "2025-08-14T04:29:52.042516533Z",
    "attributes": {
      "attempts": 1,
      "displayName": "Get Identity 1",
      "stepName": "getIdentity1",
      "task": "sp:get-identity",
      "technicalName": "Get Identity 1"
    }
  },
  {
    "type": "ActivityTaskCompleted",
    "timestamp": "2025-08-14T04:29:52.087690324Z",
    "attributes": {
      "displayName": "Get Identity 1",
      "result": {
        "alias": "Barbara Thomas",
        "attributes": {
          "cloudAuthoritativeSource": "0f02a24fd1cd4276bc7f614ef0df9f46",
          "cloudLifecycleState": "active",
          "cloudStatus": "UNREGISTERED",
          "department": "Finance",
          "displayName": "Barbara Thomas",
          "email": "barbara.thomas@askiam.ai",
          "employmentType": "Employee",
          "firstname": "Barbara",
          "identificationNumber": "Emp1006",
          "identityState": "ACTIVE",
          "internalCloudStatus": "UNREGISTERED",
          "jobTitle": "Analyst",
          "lastSyncDate": "aee1b843e9c73030905af50dc1229762d9b2f59e8aa6ded1daf5aecdfb44d9eb",
          "lastname": "Thomas",
          "location": "Leeds",
          "startDate": "5/31/2022 0:0:0 AM UTC",
          "status": "active",
          "uid": "Barbara Thomas",
          "visibleSegments": [
            "62c905b2-5462-4959-9f63-397ad9413b50"
          ]
        },
        "created": "2025-05-24T05:42:34.640Z",
        "emailAddress": "barbara.thomas@askiam.ai",
        "id": "d0b1af2c6b5847fd9ae31db041bf8727",
        "identityStatus": "UNREGISTERED",
        "isManager": true,
        "lastRefresh": "2025-08-14T00:05:54.587Z",
        "lifecycleState": {
          "manuallyUpdated": false,
          "stateName": "active"
        },
        "managerRef": null,
        "modified": "2025-08-14T01:18:10.122Z",
        "name": "Barbara Thomas",
        "processingState": null
      },
      "stepName": "getIdentity1",
      "task": "sp:get-identity",
      "technicalName": "Get Identity 1"
    }
  },
  {
    "type": "ActivityTaskScheduled",
    "timestamp": "2025-08-14T04:29:52.11102898Z",
    "attributes": {
      "displayName": "Send Email",
      "input": {
        "body": {
          "context": {
            "name": "Allison Harris"
          },
          "emailTemplate": {
            "body": "<p>Attention, </p>\n<p>User <strong>${name} </strong>has recently changed department.</p>\n<p><br>Thank you,<br>Your Access Team</p>",
            "from": "",
            "replyTo": "",
            "subject": "Department Change"
          },
          "medium": "EMAIL",
          "recipientEmailList": "barbara.thomas@askiam.ai"
        },
        "context": {
          "name": "Allison Harris"
        },
        "method": "POST",
        "path": "notification/send-notification",
        "recipientEmailList": "barbara.thomas@askiam.ai",
        "recipientId": "d0b1af2c6b5847fd9ae31db041bf8727",
        "service": "hermes",
        "subject": "Department Change",
        "useInternalClient": true
      },
      "stepName": "sendEmail",
      "task": "sp:send-email",
      "technicalName": "Send Email"
    }
  },
  {
    "type": "ActivityTaskStarted",
    "timestamp": "2025-08-14T04:29:52.111068849Z",
    "attributes": {
      "attempts": 1,
      "displayName": "Send Email",
      "stepName": "sendEmail",
      "task": "sp:send-email",
      "technicalName": "Send Email"
    }
  },
  {
    "type": "ActivityTaskCompleted",
    "timestamp": "2025-08-14T04:29:52.511369699Z",
    "attributes": {
      "displayName": "Send Email",
      "result": {},
      "stepName": "sendEmail",
      "task": "sp:send-email",
      "technicalName": "Send Email"
    }
  },
  {
    "type": "ActivityTaskScheduled",
    "timestamp": "2025-08-14T04:29:52.534150851Z",
    "attributes": {
      "displayName": "Create Certification Campaign",
      "input": {
        "body": {
          "campaignSizeType": "FULL",
          "description": "Department Change",
          "duration": "1w",
          "emailNotificationEnabled": true,
          "name": "Allison Harris",
          "searchCampaignInfo": {
            "query": "id: 8fd15f03f8a84ed9886881e3b3ce1394",
            "reviewer": {
              "id": "d0b1af2c6b5847fd9ae31db041bf8727"
            },
            "type": "IDENTITY"
          },
          "type": "SEARCH"
        },
        "description": "Department Change",
        "duration": "1w",
        "emailNotificationEnabled": true,
        "identityId": "8fd15f03f8a84ed9886881e3b3ce1394",
        "name": "Allison Harris",
        "reviewerId": "d0b1af2c6b5847fd9ae31db041bf8727"
      },
      "stepName": "createCertificationCampaign",
      "task": "sp:create-campaign",
      "technicalName": "Create Certification Campaign"
    }
  },
  {
    "type": "ActivityTaskStarted",
    "timestamp": "2025-08-14T04:29:58.621808406Z",
    "attributes": {
      "attempts": 3,
      "displayName": "Create Certification Campaign",
      "lastKnownError": "requested cert campaign is still pending",
      "stepName": "createCertificationCampaign",
      "task": "sp:create-campaign",
      "technicalName": "Create Certification Campaign"
    }
  },
  {
    "type": "ActivityTaskCompleted",
    "timestamp": "2025-08-14T04:29:58.821209339Z",
    "attributes": {
      "displayName": "Create Certification Campaign",
      "result": {
        "autoRevokeAllowed": false,
        "campaignFilter": {
          "id": "",
          "type": ""
        },
        "deadline": "2025-08-21T04:29:52Z",
        "description": "Department Change",
        "emailNotificationEnabled": true,
        "id": "c66268dceaa24da193a78fe8caebd40e",
        "name": "Allison Harris",
        "recommendationsEnabled": false,
        "status": "STAGED",
        "type": ""
      },
      "stepName": "createCertificationCampaign",
      "task": "sp:create-campaign",
      "technicalName": "Create Certification Campaign"
    }
  },
  {
    "type": "ActivityTaskScheduled",
    "timestamp": "2025-08-14T04:29:58.84435991Z",
    "attributes": {
      "displayName": "success",
      "input": {},
      "stepName": "success",
      "task": "sp:internal:operator",
      "technicalName": "success"
    }
  },
  {
    "type": "ActivityTaskStarted",
    "timestamp": "2025-08-14T04:29:58.844511901Z",
    "attributes": {
      "attempts": 1,
      "displayName": "success",
      "stepName": "success",
      "task": "sp:internal:operator",
      "technicalName": "success"
    }
  },
  {
    "type": "ActivityTaskCompleted",
    "timestamp": "2025-08-14T04:29:58.85704282Z",
    "attributes": {
      "displayName": "success",
      "result": {},
      "stepName": "success",
      "task": "sp:internal:operator",
      "technicalName": "success"
    }
  },
  {
    "type": "WorkflowExecutionCompleted",
    "timestamp": "2025-08-14T04:29:58.880450325Z",
    "attributes": {
      "result": {
        "4328fadec134429198c6938e52260756": "0198a6d6-7a38-730f-848f-0a5f0c43f3dd",
        "compareStrings": {
          "ChoiceList": [
            {
              "Comparator": "StringEquals",
              "NextStep": "Get Identity",
              "VariableA.$": "$.trigger.changes[?(@.attribute=='department')].newValue",
              "VariableB": "Engineering"
            }
          ],
          "DefaultStep": "success",
          "Description": "Determines whether the identity's department attribute was updated to Sales. If so, the workflow proceeds. Otherwise, the workflow ends.\n\nNOTE: This template makes an assumption in later actions/nodes about the identity's former department. You could use an additional operator with branching steps for different departments for more flexibility.",
          "Name": "Compare Strings",
          "SelectInput": "$",
          "SelectOutput": "$",
          "SelectResult": "$",
          "Type": "choice"
        },
        "createCertificationCampaign": {
          "autoRevokeAllowed": false,
          "campaignFilter": {
            "id": "",
            "type": ""
          },
          "deadline": "2025-08-21T04:29:52Z",
          "description": "Department Change",
          "emailNotificationEnabled": true,
          "id": "c66268dceaa24da193a78fe8caebd40e",
          "name": "Allison Harris",
          "recommendationsEnabled": false,
          "status": "STAGED",
          "type": ""
        },
        "getAccess": {
          "accessItems": [
            {
              "id": "0418e6ea048b336d81833342c179ed11",
              "name": "All Employees",
              "type": "ENTITLEMENT"
            },
            {
              "id": "3012f6674abb3d3bac27060c612f8870",
              "name": "Engineering",
              "type": "ENTITLEMENT"
            },
            {
              "id": "79fd030eda223a7cb7d1d6ac526cdb27",
              "name": "All Employees",
              "type": "ENTITLEMENT"
            },
            {
              "id": "7a9b25fa7db5310ebd008fb7a727624b",
              "name": "Engineering",
              "type": "ENTITLEMENT"
            },
            {
              "id": "a2ae0638956e32b9a697344cc262b968",
              "name": "Engineering",
              "type": "ENTITLEMENT"
            },
            {
              "id": "acc73b42d48233ba9dcc54c9796b1abc",
              "name": "Engineering",
              "type": "ENTITLEMENT"
            },
            {
              "id": "d0122ef565ac30efae6fde5a87332b90",
              "name": "All Employees",
              "type": "ENTITLEMENT"
            },
            {
              "id": "de396e82fb8635b0823b7fadd0b4b1a3",
              "name": "All Employees",
              "type": "ENTITLEMENT"
            },
            {
              "id": "ec35bd9cad343050945b784b0e2373d2",
              "name": "Engineering",
              "type": "ENTITLEMENT"
            },
            {
              "id": "f5aabf8875ff3be9958542d77d014dc2",
              "name": "All Employees",
              "type": "ENTITLEMENT"
            }
          ]
        },
        "getIdentity": {
          "alias": "Allison Harris",
          "attributes": {
            "cloudAuthoritativeSource": "0f02a24fd1cd4276bc7f614ef0df9f46",
            "cloudLifecycleState": "active",
            "cloudStatus": "UNREGISTERED",
            "department": "Engineering",
            "displayName": "Allison Harris",
            "email": "allison.harris@askiam.ai",
            "employmentType": "Employee",
            "firstname": "Allison",
            "identificationNumber": "Emp1019",
            "identityState": "ACTIVE",
            "internalCloudStatus": "UNREGISTERED",
            "jobTitle": "Recruiter",
            "lastSyncDate": "445ebe840d08f38106435d826ac16c7de3e1a5f99be2e7ac0b823ae3fe7f2c7c",
            "lastname": "Harris",
            "location": "Chicago",
            "managerEmail": "barbara.thomas@askiam.ai",
            "startDate": "12/23/2020 0:0:0 AM UTC",
            "status": "active",
            "uid": "Allison Harris",
            "visibleSegments": [
              "62c905b2-5462-4959-9f63-397ad9413b50"
            ]
          },
          "created": "2025-05-24T05:42:35.352Z",
          "emailAddress": "allison.harris@askiam.ai",
          "id": "8fd15f03f8a84ed9886881e3b3ce1394",
          "identityStatus": "UNREGISTERED",
          "isManager": true,
          "lastRefresh": "2025-08-14T04:29:25.811Z",
          "lifecycleState": {
            "manuallyUpdated": false,
            "stateName": "active"
          },
          "managerRef": {
            "id": "d0b1af2c6b5847fd9ae31db041bf8727",
            "name": "Barbara Thomas",
            "type": "IDENTITY"
          },
          "modified": "2025-08-14T04:29:28.233Z",
          "name": "Allison Harris",
          "processingState": null
        },
        "getIdentity1": {
          "alias": "Barbara Thomas",
          "attributes": {
            "cloudAuthoritativeSource": "0f02a24fd1cd4276bc7f614ef0df9f46",
            "cloudLifecycleState": "active",
            "cloudStatus": "UNREGISTERED",
            "department": "Finance",
            "displayName": "Barbara Thomas",
            "email": "barbara.thomas@askiam.ai",
            "employmentType": "Employee",
            "firstname": "Barbara",
            "identificationNumber": "Emp1006",
            "identityState": "ACTIVE",
            "internalCloudStatus": "UNREGISTERED",
            "jobTitle": "Analyst",
            "lastSyncDate": "aee1b843e9c73030905af50dc1229762d9b2f59e8aa6ded1daf5aecdfb44d9eb",
            "lastname": "Thomas",
            "location": "Leeds",
            "startDate": "5/31/2022 0:0:0 AM UTC",
            "status": "active",
            "uid": "Barbara Thomas",
            "visibleSegments": [
              "62c905b2-5462-4959-9f63-397ad9413b50"
            ]
          },
          "created": "2025-05-24T05:42:34.640Z",
          "emailAddress": "barbara.thomas@askiam.ai",
          "id": "d0b1af2c6b5847fd9ae31db041bf8727",
          "identityStatus": "UNREGISTERED",
          "isManager": true,
          "lastRefresh": "2025-08-14T00:05:54.587Z",
          "lifecycleState": {
            "manuallyUpdated": false,
            "stateName": "active"
          },
          "managerRef": null,
          "modified": "2025-08-14T01:18:10.122Z",
          "name": "Barbara Thomas",
          "processingState": null
        },
        "manageAccess": {
          "failedAccessRequests": [],
          "successfulAccessRequests": [
            {
              "id": "0418e6ea048b336d81833342c179ed11",
              "name": "All Employees",
              "type": "ENTITLEMENT"
            }
          ]
        },
        "sendEmail": {},
        "trigger": {
          "_meta": {
            "invocationId": "80a1c5d1-9b9b-4437-a024-dca479749cd9",
            "subscriptionId": "e389ae6b-9c96-4433-938d-39f00c98da67",
            "triggerType": "FIRE_AND_FORGET"
          },
          "changes": [
            {
              "attribute": "department",
              "newValue": "Engineering",
              "oldValue": "HR"
            }
          ],
          "identity": {
            "id": "8fd15f03f8a84ed9886881e3b3ce1394",
            "name": "Allison Harris",
            "type": "IDENTITY"
          }
        },
        "wait": {
          "duration": "1m0s"
        }
      }
    }
  }
]

dineshdupati · August 14, 2025, 9:15am

Hi @ChandrakalaS ,

In your original post, you had mentioned that there’s only one entitlement as the response to Get Access step, hence I have posted my response based on that.

But if the Get Access step has a list of entitlements, then you need to make use of Loop Operator as shown below,

Access to Manage: [{“id”:“{{$.loop.loopInput.id}}”,“name”:“{{$.loop.loopInput.name}}”,“type”:“{{$.loop.loopInput.type}}”}]

I have tested and the user is assigned with all list of identities successfully, if you want to filter out the certain entitlements, you can insert a Compare Strings Operation within the loop and compare using the entitlement name ie., Value1= $.loop.loopInput.name and Value2=”Entitlement Name”

Please refer the below documentation on Loop and Compare Strings,

Request you to give it a try and let me know if this works.

Thanks!

ChandrakalaS · August 14, 2025, 12:10pm

Hi Dinesh,

Thank you for the quick reply. I will update workflow and test it.

The use case I am planning to implement is when department changes, then grant new access matching the criteria mentioned in get access step and remove some existing access

I am overserving that new access is getting assigned but existing access granted when user was in different department are not getting removed.

Example: John Doe moved from IT to Engineering. When he was in IT - All Employees, IT manager, IT Management were three entitlements granted. When he moves, I want following Access change - All Employees, Engineering, Software Engineer these 3 entitlement must be granted.

What is the change that I need to make in the workflow. I am sharing the workflow for your reference.

{
	"name": "A Mover Workflow with Addition of Access and Recertification of Access",
	"description": "This workflow is triggered when an identity changes departments. The workflow retrieves the access associated with their new role and grants that access to the identity. It also starts a certification campaign to ensure that the access no longer relevant to them is removed.",
	"modified": "2025-08-14T11:30:01.835562052Z",
	"modifiedBy": {
		"type": "IDENTITY",
		"id": "c30ba824e347470786996258288b87c6",
		"name": "chandrakalaStimul9"
	},
	"definition": {
		"start": "Wait",
		"steps": {
			"Compare Strings": {
				"actionId": "sp:compare-strings",
				"choiceList": [
					{
						"comparator": "StringEquals",
						"nextStep": "Get Identity",
						"variableA.$": "$.trigger.changes[?(@.attribute=='department')].newValue",
						"variableB": "Engineering"
					}
				],
				"defaultStep": "success",
				"description": "Determines whether the identity's department attribute was updated to Sales. If so, the workflow proceeds. Otherwise, the workflow ends.\n\nNOTE: This template makes an assumption in later actions/nodes about the identity's former department. You could use an additional operator with branching steps for different departments for more flexibility.",
				"type": "choice"
			},
			"Create Certification Campaign": {
				"actionId": "sp:create-campaign",
				"attributes": {
					"description": "Department Change",
					"duration": "1w",
					"emailNotificationEnabled": true,
					"identityId.$": "$.trigger.identity.id",
					"name.$": "$.trigger.identity.name",
					"reviewerId.$": "$.getIdentity.managerRef.id"
				},
				"description": "Creates a certification campaign so that the identity's new manager can review their access, to ensure they have the access they need and don't have access they don't need.",
				"nextStep": "success",
				"type": "action",
				"versionNumber": 1
			},
			"Get Access": {
				"actionId": "sp:access:get",
				"attributes": {
					"accessprofiles": true,
					"entitlements": true,
					"getAccessBy": "searchQuery",
					"query": "name.exact:(\"All Employees\" OR \"Engineering\" OR \"Software Engineer\")",
					"roles": true
				},
				"description": "Gets all Groups with specified name in their name.\n\nIn this example, the identity needs to retain this access despite their department move. If the access gets removed because they no longer meet the role criteria, it must be put back by this workflow. This step retrieves the access for the Manage Access step to add.",
				"nextStep": "Manage Access",
				"type": "action",
				"versionNumber": 1
			},
			"Get Identity": {
				"actionId": "sp:get-identity",
				"attributes": {
					"id.$": "$.trigger.identity.id"
				},
				"description": "Retrieves available details about the identity.",
				"nextStep": "Get Access",
				"type": "action",
				"versionNumber": 2
			},
			"Get Identity 1": {
				"actionId": "sp:get-identity",
				"attributes": {
					"id.$": "$.getIdentity.managerRef.id"
				},
				"description": "This node is used to gather information about the user's manager to populate their email in \"Recipient\"",
				"nextStep": "Send Email",
				"type": "action",
				"versionNumber": 2
			},
			"Manage Access": {
				"actionId": "sp:access:manage",
				"attributes": {
					"addIdentities.$": "$.trigger.identity.id",
					"comments": "Automatically requested as transitory access by workflows",
					"removeDuration": "2w",
					"requestType": "GRANT_ACCESS",
					"requestedItems": [
						{
							"id": "{{$.getAccess.accessItems[0].id}}",
							"name": "{{$.getAccess.accessItems[0].name}}",
							"type": "{{$.getAccess.accessItems[0].type}}"
						}
					]
				},
				"description": "Adds the access from the Get Access step to the identity.",
				"nextStep": "Get Identity 1",
				"type": "action",
				"versionNumber": 1
			},
			"Send Email": {
				"actionId": "sp:send-email",
				"attributes": {
					"body": "<p>Attention, </p>\n<p>User <strong>${name} </strong>has recently changed department.</p>\n<p><br>Thank you,<br>Your Access Team</p>",
					"context": {
						"name.$": "$.getIdentity.attributes.displayName"
					},
					"recipientEmailList.$": "$.getIdentity1.attributes.email",
					"recipientId.$": "$.getIdentity.managerRef.id",
					"subject": "Department Change"
				},
				"description": "Sends an email to the identity's manager. Configure details about this email below.",
				"nextStep": "Create Certification Campaign",
				"type": "action",
				"versionNumber": 2
			},
			"Wait": {
				"actionId": "sp:sleep",
				"attributes": {
					"duration": "1m",
					"type": "waitFor"
				},
				"description": "Pauses to wait for all other provisioning activities to complete, such as automated role or access profile removals.",
				"nextStep": "Compare Strings",
				"type": "action",
				"versionNumber": 1
			},
			"success": {
				"actionId": "sp:operator-success",
				"description": "Ends the workflow and marks it as a success.",
				"type": "success"
			}
		}
	},
	"creator": {
		"type": "IDENTITY",
		"id": "c30ba824e347470786996258288b87c6",
		"name": "chandrakalaStimul9"
	},
	"trigger": {
		"type": "EVENT",
		"attributes": {
			"filter.$": "$.changes[?(@.attribute == \"department\")]",
			"id": "idn:identity-attributes-changed"
		}
	}
}

dineshdupati · August 18, 2025, 3:05pm

Hi @ChandrakalaS ,

Can you please confirm if the originally posted issue is resolved for you?

Do you want to remove all the existing entitlements from the user before provisioning the new entitlements based on the department? For this I recommend you to create a new post!

Thanks!

ChandrakalaS · August 19, 2025, 10:35am

Yes, the originally posted issue is resolved. Workflow is creating requests for all entitlements

dineshdupati · August 19, 2025, 12:12pm

Can you please mark the response as the solution.

Thanks!

vdivakar · August 19, 2025, 12:40pm

@ChandrakalaS, Based on your comments about the Entitlement assignment and removal based on the department change, I suggest you try implementing this using the Roles.
you can set up a criteria in Role, lets say, if identity is Active and has department1, then Role one should be granted to the identity, in this Role 1 you can mention Entitlements belonging to that particular department.
similarly define Role 2 for department 2 and list entitlement related to that Department.

When roles are changed based on criteria, entitlement addition and removal is taken care automatically.
Hope this comment helps.

Thank you,
Vaibhav

Topic		Replies	Views
Workflow to remove ALL leavers' standing access ISC Community Knowledge Base workflows , identity-security-cloud	86	8306	April 16, 2026
Need Help with Workflow to Remove Access Profile and Entitlement on User Inactivity or Information Change ISC Discussion and Questions workflows , identity-security-cloud , access-profiles , entitlements	17	1009	August 24, 2024
Workflow Manage Access - Add Access issue - request failed: 400 - 400 Bad Request: (type: HTTP Response Returned a Client Error, retryable: false): request failed: 400 - 400 Bad Request ISC Discussion and Questions workflows , identity-security-cloud	11	737	March 16, 2025
Workflow Loop error- RemoveAccess not working inside loop ISC Discussion and Questions workflows , identity-security-cloud , access	18	269	January 12, 2026
API to get roles, access profile and entitlement to users and remove it all from from identity ISC Discussion and Questions identity-security-cloud , roles , access-profiles , entitlements , api	10	329	August 17, 2025

Workflow Manage Access - "task failed: activity error (type: sp:access:manage, scheduledEventID: 34, startedEventID: 35, identity: 1@sp-workflow-worker-internal-596fc65d79-hdqkt@sp-workflow-engine): request failed (type: Bad Request, retryable: false): 40

I have ensured the Access items are marked as Requestable. still getting the error. How to fix this

Related topics