mike.lim
August 12, 2024, 5:28am
1
Hello,
I’m trying to create a workflow that removes all entitlements from an identity if the lifecycle state changes from ACTIVE to PREINACTIVE.
To achieve this, I started with the Identity Attributes Changed trigger with the following filter:
Next, I’ve added the Get Access action to retrieve the identity’s entitlements:
And to remove those entitlements from the identity, I’ve created a loop and added the Manage Access action as follows:
I’ve tested the workflow; however, it is failing to remove the entitlements.
What can I do to resolve this issue?
shaileeM
August 12, 2024, 6:19am
2
Hi Mike,
If possible, can you share the workflow json to take a look. Please mask the necessary.
Thanks,
Just enable the workflow and try the workflow. I think this flow will work as expected. Test Workflow feature is used to test only the functionalities, it will not remove access. Hence, the API call might fail.
This might help you probably.
Thanks!!
If you are facing the same issue, Please refer to my test workflow given below.
{
"name": "Test_Flow",
"description": "",
"definition": {
"start": "Get Access",
"steps": {
"End Step — Success 1": {
"description": "Success",
"type": "success"
},
"Get Access": {
"actionId": "sp:access:get",
"attributes": {
"accessprofiles": false,
"entitlements": true,
"getAccessBy": "specificIdentity",
"identityToReturn.$": "$.trigger.identity.id",
"roles": false
},
"nextStep": "Loop",
"type": "action",
"versionNumber": 1
},
"Loop": {
"actionId": "sp:loop:iterator",
"attributes": {
"context.$": "$.trigger.identity.id",
"input.$": "$.getAccess.accessItems",
"start": "Manage Access",
"steps": {
"End Step — Success": {
"description": "Success inside loop",
"type": "success"
},
"Manage Access": {
"actionId": "sp:access:manage",
"attributes": {
"comments": "Removal",
"removeIdentity.$": "$.loop.context",
"requestType": "REVOKE_ACCESS",
"requestedItems.$": "$.loop.loopInput"
},
"nextStep": "End Step — Success",
"type": "action",
"versionNumber": 1
}
}
},
"nextStep": "End Step — Success 1",
"type": "action",
"versionNumber": 1
}
}
},
"trigger": {
"type": "EVENT",
"attributes": {
"filter.$": "$.changes[?(@.attribute == \"cloudLifecycleState\" && @.oldValue == \"active\" && @.newValue == \"preinactive\")]",
"id": "idn:identity-attributes-changed"
}
}
}
Thanks!!
3 Likes
shaileeM
August 12, 2024, 8:00am
6
Hi Mike,
Yes. Please define the $.trigger.identity.id in the context of the loop and in the Manage Access step , you can use
"removeIdentity.$": "$.loop.context",
Please try this, it should work.
1 Like
mike.lim
August 12, 2024, 8:29am
7
Thanks for the information!
I think so, there is no limit for revoking access. Ideally, ISC should not have any restrictions around this.
I guess via API we can get upto 250 entitlements, after that - we need to set offsets. It will be like a batch-process right. I think, the same will apply here, but not sure.
RitikaK
September 23, 2024, 2:52pm
9
can we use the same workflow to remove roles and access profile?
