Workflow trigger Access Profile based on the identity attribute positionId

We have created a workflow to trigger access profiles after the AD account is created based on the position ID.

For that identity, attribute is created adAccountExists if the AD account exists set to YES and then based on the positionId assigning the access Profile. For some reason, it is not assigning access profiles. When I checked, the log query did not return the positionId. Do you have any idea what could be the issue?

Below is the log.

{

"displayName": "Get Access",

"input": {

"accessprofiles": true,

"entitlements": false,

"getAccessBy": "searchQuery",

"identityToReturn": null,

**"query": "name.exact:\"{{$.trigger.attributes.positionId}}\" AND source.id:\"** **39485455****ca984addafffb4c165dd2ec3\" ",**

"roles": false,

"suppliedInlineExpression": {

"query": "name.exact:\"{{$.trigger.attributes.positionId}}\" AND source.id:\" 39485455ca984addafffb4c165dd2ec3\" "

}

},

"stepName": "getAccess",

"task": "sp:access:get"

}

below is workflow

{
	"name": "Identity Attribute Change Test",
	"description": "Identity Attribute Change Test",
	"modified": "2024-01-25T18:59:05.074089333Z",
	"modifiedBy": {
		"type": "IDENTITY",
		"id": "5376e16c755844069821bdaddfd",
		"name": "Test"
	},
	"definition": {
		"start": "Get Accounts",
		"steps": {
			"Compare Strings": {
				"choiceList": [
					{
						"comparator": "StringEquals",
						"nextStep": "Verify Data Type",
						"variableA.$": "$.trigger.changes[?(@.attribute == \"adAccountExists\")].newValue",
						"variableB": "YES"
					}
				],
				"defaultStep": "Send Email 2",
				"type": "choice"
			},
			"End Step - Failure": {
				"failureName": "Operation Fail",
				"type": "failure"
			},
			"End Step - Failure 1": {
				"description": "Failure",
				"failureDetails": "Failure",
				"failureName": "Failure",
				"type": "failure"
			},
			"End Step - Success": {
				"type": "success"
			},
			"Get Access": {
				"actionId": "sp:access:get",
				"attributes": {
					"accessprofiles": true,
					"entitlements": false,
					"getAccessBy": "searchQuery",
					"query": "name.exact:\"{{$.trigger.attributes.positionId}}\" AND source.id:\"39485455ca984addafffb4c165dd2ec3\" ",
					"roles": false
				},
				"nextStep": "Verify Data Type 1",
				"type": "action",
				"versionNumber": 1
			},
			"Get Accounts": {
				"actionId": "sp:get-accounts",
				"attributes": {
					"getAccountsBy": "specificIdentity",
					"identity.$": "$.trigger.identity.id"
				},
				"nextStep": "Compare Strings",
				"type": "action",
				"versionNumber": 1
			},
			"Manage Access": {
				"actionId": "sp:access:manage",
				"attributes": {
					"addIdentities.$": "$.trigger.identity.id",
					"comments": "Automate Access Addition during Workflow",
					"requestType": "GRANT_ACCESS",
					"requestedItems": "$.getAccess.accessItems[0]"
				},
				"nextStep": "Send Email 1",
				"type": "action",
				"versionNumber": 1
			},
			"Send Email": {
				"actionId": "sp:send-email",
				"attributes": {
					"body": "IdentityNow encountered o new user ${name}:\n\nError: More than one Access Profile was returned that matched the Template Name attribute: ${TemplateName}",
					"context": {
						"accessProfileName.$": "$.getAccess.accessItems[0].name",
						"name.$": "$.trigger.identity.name"
					},
					"from": "[email protected]",
					"recipientEmailList": [
						"[email protected]"
					],
					"replyTo": "[email protected]",
					"subject": "IdentityNow new hire workflow failed to add  EPIC  to user ${name}"
				},
				"nextStep": "End Step - Failure",
				"type": "action",
				"versionNumber": 2
			},
			"Send Email 1": {
				"actionId": "sp:send-email",
				"attributes": {
					"body": "Adding Access Succes",
					"context": {
						"accessProfileName.$": "$.getAccess.accessItems[0].name",
						"name.$": "$.trigger.identity.name"
					},
					"from": "[email protected]",
					"recipientEmailList": [
						"[email protected]"
					],
					"replyTo": "[email protected]",
					"subject": "Success"
				},
				"nextStep": "End Step - Success",
				"type": "action",
				"versionNumber": 2
			},
			"Send Email 2": {
				"actionId": "sp:send-email",
				"attributes": {
					"body": "Compare Failed",
					"context": {
						"accessProfileName.$": "$.getAccess.accessItems[0].name",
						"name.$": "$.trigger.identity.name"
					},
					"from": "[email protected]",
					"recipientEmailList": [
						"[email protected]"
					],
					"replyTo": "[email protected]",
					"subject": "Compare Failed"
				},
				"nextStep": "End Step - Failure 1",
				"type": "action",
				"versionNumber": 2
			},
			"Verify Data Type": {
				"choiceList": [
					{
						"comparator": "IsPresent",
						"nextStep": "Get Access",
						"variableA.$": "$.getAccounts.accounts[?(@.sourceName==\"Workday FF\")].sourceId"
					}
				],
				"defaultStep": "Send Email 2",
				"description": null,
				"type": "choice"
			},
			"Verify Data Type 1": {
				"choiceList": [
					{
						"comparator": "IsPresent",
						"nextStep": "Manage Access",
						"variableA.$": "$.getAccess.accessItems[1]"
					}
				],
				"defaultStep": "Send Email",
				"description": "",
				"type": "choice"
			}
		}
	},
	"creator": {
		"type": "IDENTITY",
		"id": "5376e16c755844069821bdaddfd",
		"name": "test"
	},
	"trigger": {
		"type": "EVENT",
		"attributes": {
			"id": "idn:identity-attributes-changed"
		}
	}
}type or paste code here

Hi @pkumar22, I see that you are using $.trigger.attributes.positionId to get the positionId identity attribute which is the access profile name and thus search query the access profile via the name.

Your trigger is Identity Attribute Changed and in this trigger you can’t retrieve the identity attribute as shown in the payload documented here - Triggers - SailPoint Identity Services.

One suggestion is that you can add a Get Identity action right after the Identity Attribute Changed trigger and get the identity by the Identity ID $.trigger.identity.id. From there, get the identity attribute positionId using variable, eg: $.getIdentity.attributes.positionId.

Hope this helps.

1 Like

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.