Workflow trigger Access Profile based on the identity attribute positionId

pkumar22 · January 25, 2024, 9:51pm

We have created a workflow to trigger access profiles after the AD account is created based on the position ID.

For that identity, attribute is created adAccountExists if the AD account exists set to YES and then based on the positionId assigning the access Profile. For some reason, it is not assigning access profiles. When I checked, the log query did not return the positionId. Do you have any idea what could be the issue?

Below is the log.

{

"displayName": "Get Access",

"input": {

"accessprofiles": true,

"entitlements": false,

"getAccessBy": "searchQuery",

"identityToReturn": null,

**"query": "name.exact:\"{{$.trigger.attributes.positionId}}\" AND source.id:\"** **39485455****ca984addafffb4c165dd2ec3\" ",**

"roles": false,

"suppliedInlineExpression": {

"query": "name.exact:\"{{$.trigger.attributes.positionId}}\" AND source.id:\" 39485455ca984addafffb4c165dd2ec3\" "

}

},

"stepName": "getAccess",

"task": "sp:access:get"

}

below is workflow

{
	"name": "Identity Attribute Change Test",
	"description": "Identity Attribute Change Test",
	"modified": "2024-01-25T18:59:05.074089333Z",
	"modifiedBy": {
		"type": "IDENTITY",
		"id": "5376e16c755844069821bdaddfd",
		"name": "Test"
	},
	"definition": {
		"start": "Get Accounts",
		"steps": {
			"Compare Strings": {
				"choiceList": [
					{
						"comparator": "StringEquals",
						"nextStep": "Verify Data Type",
						"variableA.$": "$.trigger.changes[?(@.attribute == \"adAccountExists\")].newValue",
						"variableB": "YES"
					}
				],
				"defaultStep": "Send Email 2",
				"type": "choice"
			},
			"End Step - Failure": {
				"failureName": "Operation Fail",
				"type": "failure"
			},
			"End Step - Failure 1": {
				"description": "Failure",
				"failureDetails": "Failure",
				"failureName": "Failure",
				"type": "failure"
			},
			"End Step - Success": {
				"type": "success"
			},
			"Get Access": {
				"actionId": "sp:access:get",
				"attributes": {
					"accessprofiles": true,
					"entitlements": false,
					"getAccessBy": "searchQuery",
					"query": "name.exact:\"{{$.trigger.attributes.positionId}}\" AND source.id:\"39485455ca984addafffb4c165dd2ec3\" ",
					"roles": false
				},
				"nextStep": "Verify Data Type 1",
				"type": "action",
				"versionNumber": 1
			},
			"Get Accounts": {
				"actionId": "sp:get-accounts",
				"attributes": {
					"getAccountsBy": "specificIdentity",
					"identity.$": "$.trigger.identity.id"
				},
				"nextStep": "Compare Strings",
				"type": "action",
				"versionNumber": 1
			},
			"Manage Access": {
				"actionId": "sp:access:manage",
				"attributes": {
					"addIdentities.$": "$.trigger.identity.id",
					"comments": "Automate Access Addition during Workflow",
					"requestType": "GRANT_ACCESS",
					"requestedItems": "$.getAccess.accessItems[0]"
				},
				"nextStep": "Send Email 1",
				"type": "action",
				"versionNumber": 1
			},
			"Send Email": {
				"actionId": "sp:send-email",
				"attributes": {
					"body": "IdentityNow encountered o new user ${name}:\n\nError: More than one Access Profile was returned that matched the Template Name attribute: ${TemplateName}",
					"context": {
						"accessProfileName.$": "$.getAccess.accessItems[0].name",
						"name.$": "$.trigger.identity.name"
					},
					"from": "[email protected]",
					"recipientEmailList": [
						"[email protected]"
					],
					"replyTo": "[email protected]",
					"subject": "IdentityNow new hire workflow failed to add  EPIC  to user ${name}"
				},
				"nextStep": "End Step - Failure",
				"type": "action",
				"versionNumber": 2
			},
			"Send Email 1": {
				"actionId": "sp:send-email",
				"attributes": {
					"body": "Adding Access Succes",
					"context": {
						"accessProfileName.$": "$.getAccess.accessItems[0].name",
						"name.$": "$.trigger.identity.name"
					},
					"from": "[email protected]",
					"recipientEmailList": [
						"[email protected]"
					],
					"replyTo": "[email protected]",
					"subject": "Success"
				},
				"nextStep": "End Step - Success",
				"type": "action",
				"versionNumber": 2
			},
			"Send Email 2": {
				"actionId": "sp:send-email",
				"attributes": {
					"body": "Compare Failed",
					"context": {
						"accessProfileName.$": "$.getAccess.accessItems[0].name",
						"name.$": "$.trigger.identity.name"
					},
					"from": "[email protected]",
					"recipientEmailList": [
						"[email protected]"
					],
					"replyTo": "[email protected]",
					"subject": "Compare Failed"
				},
				"nextStep": "End Step - Failure 1",
				"type": "action",
				"versionNumber": 2
			},
			"Verify Data Type": {
				"choiceList": [
					{
						"comparator": "IsPresent",
						"nextStep": "Get Access",
						"variableA.$": "$.getAccounts.accounts[?(@.sourceName==\"Workday FF\")].sourceId"
					}
				],
				"defaultStep": "Send Email 2",
				"description": null,
				"type": "choice"
			},
			"Verify Data Type 1": {
				"choiceList": [
					{
						"comparator": "IsPresent",
						"nextStep": "Manage Access",
						"variableA.$": "$.getAccess.accessItems[1]"
					}
				],
				"defaultStep": "Send Email",
				"description": "",
				"type": "choice"
			}
		}
	},
	"creator": {
		"type": "IDENTITY",
		"id": "5376e16c755844069821bdaddfd",
		"name": "test"
	},
	"trigger": {
		"type": "EVENT",
		"attributes": {
			"id": "idn:identity-attributes-changed"
		}
	}
}type or paste code here

sjoyee · January 26, 2024, 9:53am

Hi @pkumar22, I see that you are using $.trigger.attributes.positionId to get the positionId identity attribute which is the access profile name and thus search query the access profile via the name.

Your trigger is Identity Attribute Changed and in this trigger you can’t retrieve the identity attribute as shown in the payload documented here - Triggers - SailPoint Identity Services.

One suggestion is that you can add a Get Identity action right after the Identity Attribute Changed trigger and get the identity by the Identity ID $.trigger.identity.id. From there, get the identity attribute positionId using variable, eg: $.getIdentity.attributes.positionId.

Hope this helps.

system · March 26, 2024, 9:53am

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Workflow - Identity Attribute Changed Trigger Not Working ISC Discussion and Questions workflows , transforms , identity-security-cloud	2	217	February 16, 2024
Access Request Decision workflow not triggering when role is removed ISC Discussion and Questions workflows , identity-security-cloud , roles	3	165	March 10, 2024
Workflow for attribute change -> Certification Creation BUT - exclude new hires! ISC Discussion and Questions workflows , identity-security-cloud	6	340	October 17, 2023
Workflow "GetAccess" Action - Search Option ISC Discussion and Questions workflows , identity-security-cloud	5	408	July 19, 2023
Get Identity Action Item in workflow ISC Discussion and Questions workflows , identity-security-cloud	3	441	July 19, 2023

Workflow trigger Access Profile based on the identity attribute positionId

Related Topics