Workflow - Remove Requested Roles on Termination

When a user is terminated, we want to remove the roles that were requested using Manage Access. The issue I am seeing is that we need to revoke only the roles that are revocable and not any given by Membership Criteria.

I tried to filter these Roles by name as we have a common prefix for requested roles but none of these options appeared to work.

I am able to filter on equals using:

$.getAccess.accessItems[?(@.name == “FULL ROLE NAME”)]

I am not able to filter on contains or regex (=~). Both of these are returning all Roles for that user.

$.getAccess.accessItems[?(@.name contains “XYZ”)]
$.getAccess.accessItems[?(@.name =~ /^XYZ.*/)]

2 Likes

Workflows uses Goessner JSONpath, which doesn’t support exotic operators like regex. To accomplish your goal, you can try using “Get Access” to get all roles that have that prefix you mentioned. Using the “By Search Query” option, you can input a search query just like you would in the search UI.

Then, just supply the results of “Get Access” to your “Manage Access”.

I have tried that but the Get Access will return about 30 Roles. My test user has 2 roles in that set and I get errors when attempting to revoke Roles the user does not have. Is there a way to take the list of 30 that meet that prefix then get the union of Role the Identity has?

Example:
name:PREFIX will return:
PREFIX A
PREFIX B
PREFIX C
PREFIX D

User has PREFIX A, PREFIX B, NON-PREFIX A

I want to revoke only PREFIX A and PREFIX B in the Access to Manage section of the Manage Access step.

1 Like

I have the EXACT SAME PROBLEM - been trying to find a solution for > 3 months with no luck.

A further complication in another scenario - is I only want to remove Roles when a user had a specific Access Profile, which I can retrieve without issue in “Get Access” but i CANNOT filter only for ROLES (and excluding membership/assigned) in the “Manage Access”.

Open to ANY suggestions…

Note - if you only have 2 roles you can do:

If User has Role A 
  Then 
    Remove Role A
    If User has Role B Them Remove B
ElseIf User has Role B Them Remove B

We’ve done it for 2 or 3 specific app roles… but we also have 300+ requestable roles we need to remove (while excluding birthright) :(.

1 Like

Thank you both for bringing this use case to us. I don’t believe what you are trying to do is feasible with the current set of actions and capabilities. As such, I have forwarded this conversation to the product owner of Workflows so the team can figure out how best to solve this.

3 Likes

I have tested this in the Manage Access Action workflow item (note: the i at the end makes the match case-insensitive):

  • Contains XYZ
    $.getAccess.accessItems[?(@.name =~ /.*XYZ.*/i)]
  • Starts with XYZ
    $.getAccess.accessItems[?(@.name =~ /^XYZ/i)]
  • Ends with XYZ:
    $.getAccess.accessItems[?(@.name =~ /XYZ$/i)]
  • Excludes Access Items that End with Birthright (this was the use case I was trying to solve where we want to Revoke Access, where it’s not a role with membership criteria. For this to work, we have to apply a business standard to always name those roles ending in Birthright)
    $.getAccess.accessItems[?(@.name !=~ /Birthright$/i)]