Workflow to Remove a User from a Role

SeanK-W · May 2, 2025, 7:09am

Hi ISC Community,

Use Case: Cybersecurity want to be able to add users to a role which will Block IT access & then they also want to be able to remove users from that role. This will be adhoc as a reactive process.

This use case does not intend to disable accounts to block IT access, it intends to assign groups to a user in downstream systems via a role, these groups will have conditional policies applied to prevent assigned users from authenticating to specific systems.

Add Access = Sorted, can be done via requestable role > assigns entitlements and limit requestors to cyber via segments

Remove Access = Not sorted, hoping to pick your brains on how we could do this.

My current thinking is I have an interactive form (which I can limit to Cyber via entitlement access) that allows them to select a user to unblock via a dropdown (which runs a search query against the role to determine the options). Then feed the user info into a workflow and action it from there. However, running into a few hurdles:

Get Identity from interactive form seems to fail, I am fairly certain it’s because the form data is sending through the displayname of the user and the get identity needs the ID. Can anybody offer a potential workaround to this?
Assuming 1. gets sorted, how do I create a workflow that will only remove a specific role from an identity (or, vice versa).

Thinking either http call to do a patch request to remove user from role, but having issues there on API Patch Role - Semantically Invalid
Or, create a campaign and revoke the role, but the create campaign workflow action seems limited. Identity cert will review all the users access and an access cert reviews all of the identities assigned to the role (opposed to just the one selected in the form originally by Cyber).

Appreciate any help you could give. Cheers

Form:

Get Identity Workflow Step:

Get Identity Workflow Step Error:

{“displayName”:“Get Identity”,“input”:{“id":"[email protected]”,“method”:“GET”,“path”:“v3/identities/[email protected]”,“service”:“mice”},“stepName”:“getIdentity”,“task”:“sp:get-identity”,“technicalName”:“Get Identity”}

{“attempts”:1,“displayName”:“Get Identity”,“stepName”:“getIdentity”,“task”:“sp:get-identity”,“technicalName”:“Get Identity”}

{“displayName”:“Get Identity”,“error”:"request failed (type: Bad Request, retryable: false): 404 - 404 Not Found: ",“stepName”:“getIdentity”,“task”:“sp:get-identity”,“technicalName”:“Get Identity”}

schattopadhy · May 2, 2025, 8:37am

@SeanK-W use http action to retrieve the identity id

sidharth_tarlapally · May 2, 2025, 11:13am

Hello @SeanK-W

1. How to get the Identity Id of the user :
–>The form gives displayName as the output when submitted. , let’ say {{formData.selectUser}}
–>Perform HTTP Action [Search API] which will bring you the Identity ID :

{
  "indices": [
    "identities"
  ],
  "query": {
    "query": "displayName:\"{{formData.selectUser}}\""
  }
}

→ You can use the IdentityId from the previous step response $.hTTPRequest.body[0].id

2.Remove Role of the selectUser identity
Is the Role Dynamic ? If yes , which part of this use case will give us the role data?
–>If this role is a static role , which means , one particular role , then we can use “Manage Access” Action

Access to Manage section should contain the below formatted data

  {
    "id": "roleID",
    "name": "Role Name",
    "type": "ROLE"
  }
]

Note : The revocation of role is possible to only those roles which are not granted through Birthright and RBAC

3.Add Role [Vice versa]
Is the Role Dynamic ? If yes , which part of this use case will give us the role data?
–>If this role is a static role , which means , one particular role , then we can use “Manage Access” Action

Request Type : Add Access
Access to Manage section should contain the below formatted data

  {
    "id": "roleID",
    "name": "Role Name",
    "type": "ROLE"
  }
]

Note : The granting of role will go through the approval flow if it configured for .
This is the standard measure that IAM follows , which cannot skip.

Over all flow

Help me understand the use case , if I got it wrong :-))

Hope this helps!

Thanks
Sid

SeanK-W · May 5, 2025, 3:54am

Thanks Sid,

You are pretty much spot on, this is exactly the sort of thing I’m trying to achieve.

Testing with your suggestions has got me 90% of the way there.

Realised I needed two workflows.

One to allow the trigger to be assigned as an entitlement (left) & to give user time to actually submit the form (otherwise workflow triggers with no data).
Then another workflow which triggers when the interactive form has been submitted…

I am now hitting a hurdle where the manage access action is failing with a 400 bad request. The role is a static role (via identity list), it is not dynamic; however struggling to remove it via this action.

Appreciate all of your help so far, any idea how to get around the 400 bad request?

SeanK-W · May 5, 2025, 4:31am

Forgot to mention that I had also tried with the formData.selectUser query but something isn’t quite right with the search query & variables.

Still tinkering, but here’s what workflow output shows. Appears that the result is successful (but empty) & thus the revoke access has no variable:

sidharth_tarlapally · May 8, 2025, 12:51pm

@SeanK-W

The search query fetching data might be a definition issue , The real problem would be:

Note : The revocation of role is possible to only those roles which are not granted through Birthright and RBAC

Assigning Identities in the Role is automated provisioning , we cannot revoke this access through Manage Access .

Alternative is to change the role definition ,

Get Role Data [API]
Iterate a loop over identities assigned to the role
–>Inside loop , check if the current identity is is not same as selectedIdentity
–>If the above condition is true , PATCH assigned identities to this role
–If false , end the step

The above process will keep-patching the role composition with identities which is not part of the selectedIdentity , This way we can revoke modify the role .
However , this will increase the complexity of the workflow and I cannot see another way.

SeanK-W · May 11, 2025, 11:40pm

Thanks Sid,

Shame to hear that there’s no easy way for us to be revoking access to a role.

Appreciate taking the time listing how this could potentially be actioned via a loop; however, I’m going to investigate a different avenue. This is getting overcomplicated for what should just be an access revoke…

Going to investigate if we can utilise access profiles & dynamic roles instead.

Cheers

system · July 10, 2025, 11:41pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.