Hello everyone, I’m trying to disable accounts when they lose all their application roles. My Idea is to build a workflow that is able to detect an attribute change and if the role attribute is empty than the account will be disabled. I have difficult in implementing this kind of workflow. I’m currently trying to build it with these basic blocks: Native Change account detected as trigger, verify Data Type as an operator to check if the role section is null or not and than Manage account action block to disable the account that loses all its roles. The problem is that i don’t know what tu put inside the filter of these building blocks in order to reach my goal.
That seems to be a valid use case. Usually, an identity loses all roles when they’re in a certain stage of their lifecycle, like termination or leaves of absence. As such, you’d not really need to go for a workflow but just transition to a certain lifecycle state that revokes all roles from the users.
If you have automated roles that have assignment criteria, this will be taken care of automatically, as long as your active lifecycle states are included in the assignment criteria. For requested roles, you’d have to handle it in provisioning logic by checking the lifecycle state and the operation, and handle it as a separate case.
Since you’re looking to do this via a workflow, I’m assuming there are certain parts of your requirement that might not be straightforward, so please let us know why you’re looking to solve it via this route.
Instead of the native change trigger, consider an “Identity attributes changed” trigger. The identity attribute can be a custom one called “roleCount”, and you will need a transform attached to it. This can be a Rule transform which calls an Identity Attribute Rule to use the getRoleAssignments API, and then derive the count from there. When count equals 0 on next refresh, use it as a trigger for your workflow.
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.