As a part of user suspension we have to remove all the entitlements for certain sources, so we are trying to achieve that by configuring Workflow. In “Get Access” Action we have selected “Entitlements” and in Search Query we have been using - source.name:
This is not working as expected and not removing all the entitlements of the particular source mentioned in search query. Are we missing anything here?
Sorry, I thought you just had issue with Search query. On checking your Workflow, i believe for your usecase in Get Access step you should select Access Selection Method as “By Identity”.
This will then return the access the Identity has and you can use those in Manage Access step to Remove access.
You can filter those in the Manage Access step. Also, i believe this step supports removal of Access Profile and Roles, you may not be able to remove entitlements directly.
I don’t think “Get Access” and “Manage Access” will satisfy your needs in this particular use case. You will be better served by making HTTP Requests to the search API and the submit access request API. Revoking entitlements via access request is currently limited to one entitlement per request, so you can’t do this in bulk. You will need a loop to submit an access request to revoke each entitlement.
Here is a workflow script to get you started. You can download this script and upload it to your tenant and configure as needed.
The main thing you will want to change is the loop input. You will want to specify a filter that will filter the sources you are interested in revoking entitlements for.
You will also need to update the HTTP Request actions to use your client ID and secret and your tenant URL. Otherwise, the script should work as-is.
Sure. The output of the search query will be an identity object that should contain an attributes object that has the current cloud lifecycle state value. You could do a comparison operator to see if the lifecycle state is appropriate before removing the access.
I tried executing the provided workflow for removing the SAP assigned roles upon lifecycle state change. I had also modified the queries as well.
But somehow the workflow is not working as expected. The workflow is able to retrieve the SAP roles, but the revocation of role is not working. Attaching the json code, can you please check and let me know what is going wrong. SAP Leaver Role removal.json (2.8 KB)
@iamnithesh thanks for the correction. I did remove it, but no luck.
@colin_mckibben The expectation the workflow should remove the requested SAP roles [Naming convention : SAP*] when an identity changes the lifecycle state from active/prehire to inactive.
The workflow execution didn’t fail as such. But the role is not getting revoked.
Also I see one more issue while trying to use the Access-Request Beta as well as V3 API for role revocation via postman. For both these API I’m receiving the below error.