Workflow Remove Entitlements

Identity Security Cloud (ISC) ISC Discussion and Questions
, , ,
1

Hello,

I’m trying to create a workflow that removes all entitlements from an identity if the lifecycle state changes from ACTIVE to PREINACTIVE.

To achieve this, I started with the Identity Attributes Changed trigger with the following filter:

Screenshot 2024-08-12 at 2.14.18 PM
Screenshot 2024-08-12 at 2.14.18 PM1097×463 37.3 KB

Next, I’ve added the Get Access action to retrieve the identity’s entitlements:

Screenshot 2024-08-12 at 2.15.07 PM
Screenshot 2024-08-12 at 2.15.07 PM936×597 35.9 KB

And to remove those entitlements from the identity, I’ve created a loop and added the Manage Access action as follows:

Screenshot 2024-08-12 at 2.16.19 PM
Screenshot 2024-08-12 at 2.16.19 PM1164×591 43.5 KB

Screenshot 2024-08-12 at 2.17.08 PM
Screenshot 2024-08-12 at 2.17.08 PM1101×576 41.4 KB

I’ve tested the workflow; however, it is failing to remove the entitlements.

Screenshot 2024-08-12 at 2.24.42 PM
Screenshot 2024-08-12 at 2.24.42 PM1532×765 84.3 KB

What can I do to resolve this issue?

2

Hi Mike,

If possible, can you share the workflow json to take a look. Please mask the necessary.

Thanks,
Shailee

3

Just enable the workflow and try the workflow. I think this flow will work as expected. Test Workflow feature is used to test only the functionalities, it will not remove access. Hence, the API call might fail.

This might help you probably.

Thanks!!

4

If you are facing the same issue, Please refer to my test workflow given below.

{
	"name": "Test_Flow",
	"description": "",
	"definition": {
		"start": "Get Access",
		"steps": {
			"End Step — Success 1": {
				"description": "Success",
				"type": "success"
			},
			"Get Access": {
				"actionId": "sp:access:get",
				"attributes": {
					"accessprofiles": false,
					"entitlements": true,
					"getAccessBy": "specificIdentity",
					"identityToReturn.$": "$.trigger.identity.id",
					"roles": false
				},
				"nextStep": "Loop",
				"type": "action",
				"versionNumber": 1
			},
			"Loop": {
				"actionId": "sp:loop:iterator",
				"attributes": {
					"context.$": "$.trigger.identity.id",
					"input.$": "$.getAccess.accessItems",
					"start": "Manage Access",
					"steps": {
						"End Step — Success": {
							"description": "Success inside loop",
							"type": "success"
						},
						"Manage Access": {
							"actionId": "sp:access:manage",
							"attributes": {
								"comments": "Removal",
								"removeIdentity.$": "$.loop.context",
								"requestType": "REVOKE_ACCESS",
								"requestedItems.$": "$.loop.loopInput"
							},
							"nextStep": "End Step — Success",
							"type": "action",
							"versionNumber": 1
						}
					}
				},
				"nextStep": "End Step — Success 1",
				"type": "action",
				"versionNumber": 1
			}
		}
	},
	"trigger": {
		"type": "EVENT",
		"attributes": {
			"filter.$": "$.changes[?(@.attribute == \"cloudLifecycleState\" && @.oldValue == \"active\" && @.newValue == \"preinactive\")]",
			"id": "idn:identity-attributes-changed"
		}
	}
}

Thanks!!
Gokul

3 Likes
6

Hi Mike,

Yes. Please define the $.trigger.identity.id in the context of the loop and in the Manage Access step , you can use

"removeIdentity.$": "$.loop.context",

Please try this, it should work.

1 Like
7

Thanks for the information!
I think it is working as expected; however, I noticed that a few entitlements were left behind.
Do you know if there’s a limitation to the entitlement removal functionality?

8

I think so, there is no limit for revoking access. Ideally, ISC should not have any restrictions around this.

I guess via API we can get upto 250 entitlements, after that - we need to set offsets. It will be like a batch-process right. I think, the same will apply here, but not sure.