Workflow - Remove Entitlements from multiple sources

I’m trying to configure a workflow using the previously discussed workflow containing a loop that targets a specific source and removes entitlements from the source: https://developer.sailpoint.com/discuss/uploads/short-url/5CJR32rmaD9kQdTfnmHg2eaGdeU.json

What I want to do is target any source containing a certain word. Such as “Active Directory” since we have several Active Directory sources (Dev, QA, etc.) how can I target the workflow to remove entitlements from multiple Active Directory sources, without having to list out each source in the Http request

{7F8FB5EB-D11A-4DBA-A963-8D84F87A130A}294×291 6.06 KB

I tried modifying the logic to pull any entitlement where the source contains “Active Directory” :

{235DC39F-7A8B-4EBC-A1BA-3FD6742BA453}276×287 5.94 KB

But this is not working. - No entitlements get removed.

Can you help me figure out what it is that i’m doing wrong?

Hi Mark,

If you’re able to, I’d recommend going with the ‘certification’ approach from the post Workflow to remove ALL leavers' standing access as it won’t send email notifications and creates a place which audit may be able to more easily see which access was revoked on termination.

Then, you can just create an link an exclusion filter to list out any sources you do not want to include in the certification.

"jsonRequestBody": {
    "autoRevokeAllowed": true,
    "deadline": "{{$.defineVariable1.deadline}}",
    "description": "This is an automatically generated Leaver Campaign for {{$.getLeaverDetails.attributes.displayName}} (Employee ID: {{$.getLeaverDetails.attributes.identificationNumber}}) to remove any standing access remaining after termination",
    "emailNotificationEnabled": false,
    "filter": {
        "id": "",
        "type": "CAMPAIGN_FILTER"
    },
    "mandatoryCommentRequirement": "NO_DECISIONS",
    "name": "Leaver Campaign for {{$.getLeaverDetails.attributes.displayName}} (Emp ID: {{$.getLeaverDetails.attributes.identificationNumber}})",
    "recommendationsEnabled": false,
    "searchCampaignInfo": {
        "accessConstraints": null,
        "description": "Test",
        "identityIds": null,
        "query": "id:{{$.trigger.identity.id}}",
        "reviewer": {
            "id": "",
            "name": null,
            "type": "IDENTITY"
        },
        "reviewerId": "",
        "type": "IDENTITY"
    },
    "type": "SEARCH"
}

Does it have to be an exclusion filter? Can it be an inclusion since I’m only wanting to target 5 Active Directory sources, out of the 100 sources we have in our tenant?

Also, with the jsonRequestBody you presented above, am I replacing the existing jsonRequestBody in the workflow?

{1933DF75-1A54-4B2B-AA2C-E313A04C440A}1264×423 24.4 KB

Hi Mark,
You can use an inclusion filter as well if that would be easier for your implementation
As for the jsonRequestBody, you should update it in the step ‘Create Leaver Campaign’ instead of the ‘Autocomplete Leaver Campaign’. Assuming that you want the campaign to automatically revoke all the AD entitlements when it completes, you can leave the Autocomplete Leaver Campaign as is.

If you see any issues with the campaign not completing automatically or a failure updating the campaign deadline, add a wait step after the ‘Create Leaver Campaign’ step. Sometimes the campaign can take time to create which can cause the workflow to fail if it’s trying to close it before it’s in an active state

image310×166 5.28 KB

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.