I’m following along with Workflow - Remove Entitlements from selected source - #8, but I have a slightly different requirement. Instead of revoking all entitlements for a particular source, I want to invoke all entitlements for multiple sources that share a tag.
Any suggestions on this ?
The response object for searching identities doesn’t provide tags for a source, only source ID and source name. You can read more about the available data in the search response here: Searchable Fields - SailPoint Identity Services.
You can try calling the list tagged objects API first to get all sources with a particular tag, and then loop over each source that is returned and use the source name in the filter as shown in my original example.
Thank you for responding back, @colin_mckibben .
Is there a way to put 2 HTTP Request Actions in the Loop Input ?
From Action 1: $.hTTPRequest.body[0].access[?(@.type == “ENTITLEMENT”)]
From Action 2: $.hTTPRequest1.body.objectRef.id
Yea, that’s possible. Is it not working? What have you tried so far?
We’re tried :
$.hTTPRequest.body[0].access[?(@.type == "ENTITLEMENT")]
&&
$.hTTPRequest1.body.objectRef.id
But this is invalid JSONPath expression.
I need to see your workflow to know where the HTTP requests are in your workflow and where you are attempting to call them. Can you share an image of it and the workflow script itself?
Hi @colin_mckibben ,
Attaching Images and script of workflow for your review:
Thanks a million for all the support and guidance received!
TerminationRevokeentitlementsbysourcetag20230712.json (3.2 KB)
I looked into this further, and I don’t think you can accomplish this with a single workflow. I think you’ll need two. The first workflow will look like this.
It retains most of the logic you already have, with HTTP Request 2 fetching the list of sources by tag name. The only difference is that the loop will need to loop over each source ID and then invoke another workflow. The loop input will be this JSONpath: $.hTTPRequest2.body[*].objectRef.id. And instead of using HTTP Request 1 to invoke the access request API, you’ll use it to invoke the second workflow, as described below.
The second workflow will be this workflow that I use in my show and tell: Workflow to remove access by identity based on special conditions. The only difference is that instead of using an Identity Attribute Changed trigger, you’ll use the external trigger. Your first workflow will call the endpoint generated by the second workflow’s external trigger. You will just need to pass the identity ID and the source ID from each iteration of the loop in workflow 1 to workflow 2. That will allow workflow 2 to know which identity to revoke access from, and which source ID to filter on.
How can we call second workflow from first workflow where we are looping with source ids, can you give us the snippet please that would help a lot! Also in External Trigger of second workflow what would be the input?
Hi @colin_mckibben ,
Thanks for looking into it.
We’ve tried but unable to get tagged objects with Path Variable (type: SOURCE). If we’re putting this Path Variable into Query Parameter, it doesn’t seem to be working as it’s returning all tagged objects.
Any suggestions on this?
Try this for your query param. You can add any number of tags within the parenthesis.
key = filters
value = objectRef.type eq "SOURCE" and tagName in ("SECURE","RISKY")
It will look like this:
You can follow this show and tell by @chazeauc to learn how to call one workflow from another. Chained Workflows
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.
