HI All,
As a part of user suspension we have to remove all the entitlements for certain sources, so we are trying to achieve that by configuring Workflow. In “Get Access” Action we have selected “Entitlements” and in Search Query we have been using - source.name:
This is not working as expected and not removing all the entitlements of the particular source mentioned in search query. Are we missing anything here?
Need help here!
Regards
Aditi
The search query should be like :
@access(type:ENTITLEMENT AND (source.name:"SAP_ISU_Direct" OR source.name:"SAP XXXX"))
Hey Sharvari,
The search query didnt work and the Entitlements are still showing the account after event being triggered. 
Regards
Aditi Majumdar
Sorry, I thought you just had issue with Search query. On checking your Workflow, i believe for your usecase in Get Access step you should select Access Selection Method as “By Identity”.
This will then return the access the Identity has and you can use those in Manage Access step to Remove access.
@sharvari - But then it will take all entitlements belonging to that identity ,whereas we need to remove entitlements of a particular source.
Regards
Aditi Majumdar
You can filter those in the Manage Access step. Also, i believe this step supports removal of Access Profile and Roles, you may not be able to remove entitlements directly.
I don’t think “Get Access” and “Manage Access” will satisfy your needs in this particular use case. You will be better served by making HTTP Requests to the search API and the submit access request API. Revoking entitlements via access request is currently limited to one entitlement per request, so you can’t do this in bulk. You will need a loop to submit an access request to revoke each entitlement.
Here is a workflow script to get you started. You can download this script and upload it to your tenant and configure as needed.
Revokeentitlementsbysource20230707.json (2.7 KB)
The main thing you will want to change is the loop input. You will want to specify a filter that will filter the sources you are interested in revoking entitlements for.
You will also need to update the HTTP Request actions to use your client ID and secret and your tenant URL. Otherwise, the script should work as-is.
Can we use the same workflow for revoking the access profile based on lifecycle state?
This post saved hours and hours for me that I would have wasted figuring out a process to accomplish a similar requirement 
Sure. The output of the search query will be an identity object that should contain an attributes object that has the current cloud lifecycle state value. You could do a comparison operator to see if the lifecycle state is appropriate before removing the access.
Hi @colin_mckibben,
I tried executing the provided workflow for removing the SAP assigned roles upon lifecycle state change. I had also modified the queries as well.
But somehow the workflow is not working as expected. The workflow is able to retrieve the SAP roles, but the revocation of role is not working. Attaching the json code, can you please check and let me know what is going wrong.
SAP Leaver Role removal.json (2.8 KB)
You have a key name inside requestedItems
"requestedItems":[{"comment":"Please remove","id":"{{$.loop.loopInput.id}}","name":"{{$.loop.loopInput.name}}","type":"{{$.loop.loopInput.type}}"}]
and I don’t think such a key is allowed in there. May be that’s why the request is failing
Can you remove this and try?
What did you expect, and what actually happened? Did the workflow fail?
Hi ,
@iam_nithesh thanks for the correction. I did remove it, but no luck.
@colin_mckibben The expectation the workflow should remove the requested SAP roles [Naming convention : SAP*] when an identity changes the lifecycle state from active/prehire to inactive.
The workflow execution didn’t fail as such. But the role is not getting revoked.
Attaching the overall workflow output.
WorkFlow Output.json (76.0 KB)
How are these roles assigned to the user?
These are requested roles. Not the birthright ones.
Regards
Anu Jose
Also I see one more issue while trying to use the Access-Request Beta as well as V3 API for role revocation via postman. For both these API I’m receiving the below error.
Hi,
Just wanted to update that both the API and workflow worked once I used the PAT token.
Thanks for the support.
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.
