Workflow to remove all access profiles that start with "Azure"

Would it be separated by a comma, ‘&&’ symbol, or contains

Or instead of verify data type would I use the compare string operand for any access items that include the name azure example
azure er account
azure basic account
I want both to pick up in the workflow

Lastly the manage access block would it be comma?

Hi Dawn. Can you describe the use case you are trying to achieve? Do you only need to remove a specific set of access items when this workflow triggers? Depending on your use case, there may be an elegant way to solve this.

So we have an access profiles with the same name like “Azure Read Only Account” & “Azure Read & Write Account”, but both with the name “azure” to get removed.

When we get the get access block both “azure” access profiles would come up, and both removed with manage access block. If we were to create a new access profile like “Azure Elevated Rights” it would also work, but contains isn’t working. Please let me know if that makes sense

Is the goal to remove any access profile that starts with “Azure”?

yes that is the goal

There’s a couple of ways you can approach this. You could make sure your Get Access action only returns access profiles.

And then configure your Manage Access to match access items that start with “Azure” by using regex in your JSONpath expression.

$.getAccess.accessItems[?(@.name =~ /Azure.*/i)]

Alternatively, you could look into this show and tell as a source of inspiration.

What about the verify data type how do I only access items that contain “azure”

The regex provided in the access to manage field will only return access items that start with Azure. If you run a Get Access that doesn’t have any access profiles that start with Azure, then there will be nothing supplied to Manage Access, so no access will be revoked. I guess this would result in workflow failures if there are no Azure access profiles on a particular execution.

If you want to make sure the workflow exits gracefully in the event there are no Azure access profiles, then you can put a “Verify Data Type” operator before the “Manage Access” to check if there are any access profiles that match the regex. If no access profiles have Azure, then this will fail. If at least one access profile has Azure, it will succeed and move to the Manage Access step.

Here’s the workflow file:

manage-azure-access.json (1.3 KB)

The verify data type is working perfectly, but the manage access is saying that it isn’t a valid Json expression I am using provisioning completed trigger.

Change the field type from “Enter Value” to “Choose Variable”.

Also, make sure there is a period after Azure. That is important for this regex. Copy and paste this exact string.

$.getAccess.accessItems[?(@.name =~ /Azure.*/i)]

1 Like

Thank you so much!! It is working

1 Like

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.