Soundary
January 27, 2025, 4:25pm
1
Hi all,
I am working on a requirement to remove all the entitlement when a user turns inactive, and the ad account is disabled then all the entitlement of the ad should be removed So, some reason the entitlements are not getting removed. The loop step doesnt fetch the results
Identity trigger$.changes[?(@.attribute == "cloudLifecycleState" && @.newValue == "inactive")]
FIRST HTTP JSON BODY
{
"indices": [
"identities"
],
"query": {
"query": "id:{{$.trigger.identity.id}}"
}
}
Loop input:$.hTTPRequest.body[0].access[?(@.type == "ENTITLEMENT" && @.source.name == "Active Directory")]
Second HTTP Request JSON Body:
{
"requestType": "REVOKE_ACCESS",
"requestedFor": [
"{{$.loop.context.id}}"
],
"requestedItems": [
{
"comment": "Please remove",
"id": "{{$.loop.loopInput.id}}",
"name": "{{$.loop.loopInput.name}}",
"type": "{{$.loop.loopInput.type}}"
}
]
}
1 Like
Soundary
January 27, 2025, 4:31pm
2
You don’t have to use a workflow.
afterModify rule to catch the DISABLE function to then run a PS script
run a scheduled script to remove all entitlements from any users that are disabled.
All depends on your coding preference
suresh4iam
January 27, 2025, 6:44pm
4
Hello Soundarya,
You can use Before Provisioning Rule to loop through all the assigned entitlements and remove it which could be a custom written code.
Since you are using Workflow, you can handle it in Workflow itself by using Certification Campaign. I have implemented the same scenario using Workflow as below.
Solution Summary:
Trigger the workflow when identity’s LCS changed to inactive.
Get the identity details by using Get Identity action.
Create a search-based certification campaign to remove all the s…
Let me know whether it helps you.
Try using Services Standard IdentityNow BeforeProvisioning Rule which has an action RemoveADEntitlements .
This is not deployed to your tenant by default . You can take support help to deploy this rule or you can deploy on your own.
Try Something Like this for your usecase :
[,OU= ,DC= ”
Soundary
January 28, 2025, 8:51am
6
Hi Bhaskar,
can you give me the full steps on how to deploy this in our tenant?
suresh4iam
January 28, 2025, 1:51pm
8
Unfortunately I couldn’t provide the JSON since it is implemented in a client tenant and you can refer the link which provides the JSON to built the basic workflow and on top of it you can customize it based on your requirement.
1 Like
sharvari
January 28, 2025, 2:07pm
9
You can try using the built in Get Access and Manage Access workflow actions instead of HTTP actions.
Soundary
January 28, 2025, 3:56pm
10
Hi Soundarya,
You need to make sure to have the rule deployed and then you need to patch the source .
Thanks,
Soundary
January 28, 2025, 4:28pm
12
Hi Bhaskar,
The rule is already deployed in our tenant so let me know which is the patch API you used was it this update-provisioning-policy | SailPoint Developer Community ?
Please use v3 api to patch the source.
[,OU= ,DC= ”
1 Like
Soundary
February 12, 2025, 9:35am
14
Hi Suresh,
Yes, this helped, and I was able to remove all the entitlements. But in the get identity can the workflow take more then 100 users and process the campaign for them?
suresh4iam
February 12, 2025, 1:06pm
15
Get identity will get a single identity on a iteration, so it will work and creates individual campaign for each identity
