Problem
Sometimes, it is desirable to remove access to an identity based on special criteria. For example, you may only wish to remove all entitlements from a JDBC source for an identity that has changed departments. Using the “Get Access” and “Manage Access” actions will not work in this scenario since “Get Access” does not have the ability to filter access for an identity based on arbitrary criteria, like source name. Instead, you have to use the HTTP Request action to manually invoke the search API and the submit access request API, and then use a loop to apply the special filter criteria to revoke access that meets your criteria.
The Workflow
This workflow will allow you to filter access items from a search query by applying custom filter criteria with a JSONpath expression.
HTTP Request to search for identity access items
The first HTTP Request will execute a search query to get all access items that belong to the identity whose attributes changed. You will need to update the client ID, client secret, and tenant URL for this action to work in your environment.
Filter criteria in the loop
Next, you will need to use a JSONpath expression to specify which access items you want to include in your access requests. The sample workflow script already has an example filter expression as follows:
$.hTTPRequest.body[0].access[?(@.type == "ENTITLEMENT" && @.source.name == "My Source")]
This expression will filter out any access item that is an entitlement and that belongs to the source “My Source”, and it will send these access items to the loop to be included in the access request. You can change this JSONpath expression as needed to fulfill your filter criteria.
HTTP Request to submit an access request
Each access item will invoke a single access request to revoke the access. The HTTP Request is already configured with the proper request body to revoke each item in the loop. All you need to do is update the client ID, client secret, and tenant URL. If you want to grant access instead, just change the REQUEST_TYPE
in the request body to GRANT_ACCESS
.
Workflow script
Here is the workflow script to get you started. Download this script to your computer, upload it to your workflow environment, and update the steps according to your needs and environment.