Workflow Provisioning Completed

Identity Security Cloud (ISC) ISC Discussion and Questions
,
1

I have a scenario where i Need to block and unblock a user via request center.
To block the user i created a Access Profile that will change the LifeCycle when a users receive this access and works just fine. My problem is when i need to unblock the user, i created a new access profile and when this access is provisioned i will trigger a workflow that will remove both Access Profile(block and unblock user).
Unfortunately i couldn’t trigger the Provisioning Completed workflow, my workflow must start when the action is performed in determined source and entitlement.

I tried this filter, but something its not rigth:
$.accountRequests[?(@.source.id == ‘mysourceId’ && @.attributeRequests[*].attributeValue == ‘myentitlementid’)]

image
image1133×279 18.8 KB

Any ideias?

2

Hi @coelhoya2 ,

Just try using this:
$.accountRequests[?(@.provisioningResult == ‘committed’ && @.provisioningTarget == ‘Source_Name’ && @.attributeRequests[*].attributeValue == ‘Entitlement_ID’)]

Else,

  1. Use provisioning trigger → $.accountRequests[*].attributeRequests[?(@.attributeValue == ‘Entitlement_ID’)]
  2. Use verify data type to check the source in which the provisioning done.

I have not verified this but something like this should work :relieved:.

Thanks!

3

Hi @coelhoya2,

Perhaps you could try this collab connectors IdentityNow Management Connector
I haven’t tested it, but it looks like it could meet your needs: * Manage lifecycle states as entitlements
This would allow you to dispense with workflow altogether.

4

Thanks for the help, but i took a different approach but still using the workflow.
I created a identity attribute that will be “InLeaveOfAbsence” if user has the entitlement requested to block a user. If this attribute change my workflow will trigger and revoke all roles e disable all accounts.

{
    "id": "123213",
    "name": "GenerateLeaveOfAbsence_v3",
    "type": "static",
    "attributes": {
        "hasGroup": {
            "type": "conditional",
            "attributes": {
                "expression": "$leave eq no",
                "positiveCondition": "no",
                "negativeCondition": "yes",
                "leave": {
                    "type": "firstValid",
                    "attributes": {
                        "values": [
                            {
                                "attributes": {
                                    "attributeName": "idRole",
                                    "sourceName": "EmergencyShutdown",
                                    "requiresPeriodicRefresh": true,
                                    "accountPropertyFilter": "(idRole.contains(\"2\"))"
                                },
                                "type": "accountAttribute"
                            },
                            {
                                "attributes": {
                                    "value": "no"
                                },
                                "type": "static"
                            }
                        ]
                    }
                }
            }
        },
        "leaveOfAbsence": {
            "type": "reference",
            "attributes": {
                "id": "GenerateLeaveOfAbsence"
            }
        },
        "requiresPeriodicRefresh": true,
        "value": "#if($hasGroup == \"yes\")LeaveOfAbsence#elseif($leaveOfAbsence == \"X\")LeaveOfAbsence#else no#end"
    },
    "internal": false
}
5

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.