Workflow to Remove a User from a Role

Identity Security Cloud (ISC) ISC Discussion and Questions
1

Hi ISC Community,

Use Case: Cybersecurity want to be able to add users to a role which will Block IT access & then they also want to be able to remove users from that role. This will be adhoc as a reactive process.

This use case does not intend to disable accounts to block IT access, it intends to assign groups to a user in downstream systems via a role, these groups will have conditional policies applied to prevent assigned users from authenticating to specific systems.

Add Access :+1: = Sorted, can be done via requestable role > assigns entitlements and limit requestors to cyber via segments

Remove Access :-1: = Not sorted, hoping to pick your brains on how we could do this.

My current thinking is I have an interactive form (which I can limit to Cyber via entitlement access) that allows them to select a user to unblock via a dropdown (which runs a search query against the role to determine the options). Then feed the user info into a workflow and action it from there. However, running into a few hurdles:

  1. Get Identity from interactive form seems to fail, I am fairly certain it’s because the form data is sending through the displayname of the user and the get identity needs the ID. Can anybody offer a potential workaround to this?

  2. Assuming 1. gets sorted, how do I create a workflow that will only remove a specific role from an identity (or, vice versa).

  • Thinking either http call to do a patch request to remove user from role, but having issues there on API Patch Role - Semantically Invalid
  • Or, create a campaign and revoke the role, but the create campaign workflow action seems limited. Identity cert will review all the users access and an access cert reviews all of the identities assigned to the role (opposed to just the one selected in the form originally by Cyber).

Appreciate any help you could give. Cheers

Form:

Form Search Context
Form Search Context1708Ă—750 38.1 KB

Get Identity Workflow Step:

Get Identity Error
Get Identity Error978Ă—455 23.7 KB

Get Identity Workflow Step Error:

{“displayName”:“Get Identity”,“input”:{“id":"[email protected]”,“method”:“GET”,“path”:“v3/identities/[email protected]”,“service”:“mice”},“stepName”:“getIdentity”,“task”:“sp:get-identity”,“technicalName”:“Get Identity”}

{“attempts”:1,“displayName”:“Get Identity”,“stepName”:“getIdentity”,“task”:“sp:get-identity”,“technicalName”:“Get Identity”}

{“displayName”:“Get Identity”,“error”:"request failed (type: Bad Request, retryable: false): 404 - 404 Not Found: ",“stepName”:“getIdentity”,“task”:“sp:get-identity”,“technicalName”:“Get Identity”}

2

@SeanK-W use http action to retrieve the identity id

3

Hello @SeanK-W

1. How to get the Identity Id of the user :
–>The form gives displayName as the output when submitted. , let’ say {{formData.selectUser}}
–>Perform HTTP Action [Search API] which will bring you the Identity ID :

image
image1816Ă—1874 324 KB

{
  "indices": [
    "identities"
  ],
  "query": {
    "query": "displayName:\"{{formData.selectUser}}\""
  }
}

→ You can use the IdentityId from the previous step response $.hTTPRequest.body[0].id

2.Remove Role of the selectUser identity
Is the Role Dynamic ? If yes , which part of this use case will give us the role data?
–>If this role is a static role , which means , one particular role , then we can use “Manage Access” Action :down_arrow:

image
image1816Ă—1334 170 KB

Access to Manage section should contain the below formatted data

  {
    "id": "roleID",
    "name": "Role Name",
    "type": "ROLE"
  }
]

Note : The revocation of role is possible to only those roles which are not granted through Birthright and RBAC

3.Add Role [Vice versa]
Is the Role Dynamic ? If yes , which part of this use case will give us the role data?
–>If this role is a static role , which means , one particular role , then we can use “Manage Access” Action :down_arrow:

image
image1816Ă—1334 170 KB

Request Type : Add Access
Access to Manage section should contain the below formatted data

  {
    "id": "roleID",
    "name": "Role Name",
    "type": "ROLE"
  }
]

Note : The granting of role will go through the approval flow if it configured for .
This is the standard measure that IAM follows , which cannot skip.

Over all flow

image
image844Ă—950 36.6 KB

Help me understand the use case , if I got it wrong :-))

Hope this helps!

Thanks
Sid

4

Thanks Sid,

You are pretty much spot on, this is exactly the sort of thing I’m trying to achieve.

Testing with your suggestions has got me 90% of the way there.

Realised I needed two workflows.

  1. One to allow the trigger to be assigned as an entitlement (left) & to give user time to actually submit the form (otherwise workflow triggers with no data).
  2. Then another workflow which triggers when the interactive form has been submitted…

I am now hitting a hurdle where the manage access action is failing with a 400 bad request. The role is a static role (via identity list), it is not dynamic; however struggling to remove it via this action.

Appreciate all of your help so far, any idea how to get around the 400 bad request?

image
image1658Ă—606 214 KB

image
image853Ă—741 22.4 KB

5

Forgot to mention that I had also tried with the formData.selectUser query but something isn’t quite right with the search query & variables.

Still tinkering, but here’s what workflow output shows. Appears that the result is successful (but empty) & thus the revoke access has no variable:

image
image568Ă—1090 130 KB