Can you confirm you have this portion setup as a JSON Path and not static? There is a drop down menu for it. I just confirmed that I am able to do the following flow:
Trigger: identity-attributes-changed
Action: Get-Identity
Action: Send-Email
Operator: Success
Was able to get both the information via test and email.
-Tbui
Hi Tom,
Thanks, care to share that sample workflow? 
I now run into the issue that my second step( the send email ) fails as the values are not filled in.
This is my complete workflow (via API)
{
"id": "8d9282ae-57e4-439f-8dbc-f1ae7ca255ab",
"name": "Send email when attributes change",
"description": "Send email when attributes change",
"created": "2021-11-22T15:32:24.942222512Z",
"definition": {
"start": "Get Identity",
"steps": {
"Get Identity": {
"actionId": "sp:get-identity",
"attributes": {
"id.$": "$.identity.name"
},
"nextStep": "sendmail",
"selectInput": "$",
"selectResult": "$",
"type": "action"
},
"complete": {
"type": "success"
},
"sendmail": {
"actionId": "sp:send-email",
"attributes": {
"body": "Welcome to your first workflow.\nName:${Name}",
"context": {
"Name.$": "$.identity.name"
},
"recipientId.$": "$.identity.id",
"subject": "Hello World!"
},
"nextStep": "complete",
"selectInput": "$",
"selectResult": "$",
"type": "action"
}
}
},
"enabled": true,
"executionCount": 11,
"failureCount": 11,
"creator": {
"type": "IDENTITY",
"id": "2c9180.....b7493",
"name": "kold...y.com"
},
"owner": {
"type": "IDENTITY",
"id": "2c9180......1b7493",
"name": "kold........com"
},
"trigger": {
"type": "EVENT",
"attributes": {
"id": "idn:identity-attributes-changed"
}
}
}
And this is my response:
[
{
"type": "WorkflowExecutionStarted",
"timestamp": "2021-11-22T17:05:28.587591686Z",
"attributes": {
"input": {
"_meta": {
"invocationId": "cc3a7abb-bb5a-4372-a489-d5d5c1820eca",
"subscriptionId": "8d9282ae-57e4-439f-8dbc-f1ae7ca255ab",
"triggerType": "FIRE_AND_FORGET"
},
"changes": [
{
"attribute": "triggerSnapshots",
"newValue": "{Rule=2c9180857d484512017d489bee2b40ce}",
"oldValue": "{Rule=2c9180857d484512017d489264053cc7}"
},
{
"attribute": "lastname",
"newValue": "Yoda-Family66",
"oldValue": "Yoda-Family4655d"
}
],
"identity": {
"id": "2c91808873354f5401737088f1544bb1",
"name": "yoda",
"type": "IDENTITY"
}
}
}
},
{
"type": "WorkflowTaskScheduled",
"timestamp": "2021-11-22T17:05:28.587631835Z",
"attributes": {}
},
{
"type": "WorkflowTaskStarted",
"timestamp": "2021-11-22T17:05:28.640515299Z",
"attributes": {}
},
{
"type": "WorkflowTaskCompleted",
"timestamp": "2021-11-22T17:05:28.67504578Z",
"attributes": {}
},
{
"type": "ActivityTaskScheduled",
"timestamp": "2021-11-22T17:05:28.67511056Z",
"attributes": {
"activity": "sp:internal:http",
"input": {
"id": "yoda",
"method": "GET",
"path": "api/v1/identities/yoda",
"service": "mice"
},
"task": "sp:get-identity"
}
},
{
"type": "ActivityTaskStarted",
"timestamp": "2021-11-22T17:05:28.75783093Z",
"attributes": {}
},
{
"type": "ActivityTaskCompleted",
"timestamp": "2021-11-22T17:05:28.848271771Z",
"attributes": {}
},
{
"type": "WorkflowTaskScheduled",
"timestamp": "2021-11-22T17:05:28.848289988Z",
"attributes": {}
},
{
"type": "WorkflowTaskStarted",
"timestamp": "2021-11-22T17:05:28.878915907Z",
"attributes": {}
},
{
"type": "WorkflowTaskCompleted",
"timestamp": "2021-11-22T17:05:28.909230721Z",
"attributes": {}
},
{
"type": "ActivityTaskScheduled",
"timestamp": "2021-11-22T17:05:28.909268443Z",
"attributes": {
"activity": "sp:internal:http",
"input": {
"body": {
"context": {
"Name": null
},
"emailTemplate": {
"body": "Welcome to your first workflow.\nName:${Name}",
"from": "[email protected]",
"replyTo": "[email protected]",
"subject": "Hello World!"
},
"medium": "EMAIL",
"recipientId": "<no value>"
},
"context": {
"Name": null
},
"method": "POST",
"path": "notification/send-notification",
"recipientId": null,
"service": "hermes",
"subject": "Hello World!",
"useInternalClient": true
},
"task": "sp:send-email"
}
},
{
"type": "ActivityTaskStarted",
"timestamp": "2021-11-22T17:05:36.097047458Z",
"attributes": {}
},
{
"type": "ActivityTaskFailed",
"timestamp": "2021-11-22T17:05:36.133341178Z",
"attributes": {}
},
{
"type": "WorkflowTaskScheduled",
"timestamp": "2021-11-22T17:05:36.133356804Z",
"attributes": {}
},
{
"type": "WorkflowTaskStarted",
"timestamp": "2021-11-22T17:05:36.165911437Z",
"attributes": {}
},
{
"type": "WorkflowTaskCompleted",
"timestamp": "2021-11-22T17:05:36.215415638Z",
"attributes": {}
},
{
"type": "WorkflowExecutionFailed",
"timestamp": "2021-11-22T17:05:36.215445904Z",
"attributes": {
"error": "actionStep(sendmail) Error: task failed: activity error (type: sp:internal:http, scheduledEventID: 11, startedEventID: 12, identity: 1@59e78c70f7ba@): request failed: 400 - 400 Bad Request"
}
}
]
I think I need to change something to have the second step use information from the first step but donât see what needs to be changed.
again, thanks for all the suggestions and feedback. It really helps.
Kind regards,
Vincent
Looks like youâre able to successfully complete the GET-Identity. The failure is due to the following. Youâre not passing a recipientId trying using $.id to set the value to your id
I highly recommend looking at the reference page to test your json payload.
https://developer.sailpoint.com/triggers/filtering_event_triggers.html#references
-Tbui
They will fix this but at the moment itâs defect. Itâs correct you would not see the owner in json which you download from ui but you can download it. Delete workflow and reupload the json you downloaded and should work fine. What you tried would also work.
When a new identity is created I need to send email notifications, I created the below JSON but got the error. In the input path and output path result, what should I give?
{
ânameâ: âEmail Notificationâ,
âdescriptionâ: âEmail Notification When new account Provisionâ,
âdefinitionâ: {
âstartâ: âSend Emailâ,
âstepsâ: {
âSend Emailâ: {
âactionIdâ: âsp:send-emailâ,
âattributesâ: {
âbodyâ: â${Name}, Please note that your email address has been updated in our recordsâ,
âcontextâ: {
âName.$â: â$.identity.nameâ,
âemail-id.$â: â$.identity.emailâ
},
âfromâ: â[email protected]â,
ârecipientIdâ: â$.identity.idâ,
âreplyToâ: â[email protected]â,
âsubjectâ: âNew account Provisionâ
},
ânextStepâ: âsuccessâ,
âselectInputâ: â$.identity.idâ,
âselectResultâ: â$â,
âtypeâ: âactionâ
},
âsuccessâ: {
âtypeâ: âsuccessâ
}
}
},
âcreatorâ: {
âtypeâ: âIDENTITYâ,
âidâ: â2c9180867a7c46d0017a7ca125250543â,
ânameâ: âTest userâ
},
âtriggerâ: {
âtypeâ: âEVENTâ,
âattributesâ: {
âidâ: âidn:identity-createdâ
}
}
}
The error message is below.
{
âtypeâ: âWorkflowExecutionFailedâ,
âtimestampâ: â2021-11-23T21:15:19.381842477Zâ,
âattributesâ: {
âerrorâ: âoutput was not a valid mapâ
}
}
Iâm retrieving few values from context in a Workflow as below
"steps": {
"Trigger Email": {
"actionId": "sp:send-email",
"attributes": {
"body": "${Name}, Please note that your email address has been updated in our records",
"context": {
"Name.$": "$.identity.name",
"personalEmail.$": "$.identity.personalEmail"
},
"recipientId.$": "$.identity.id",
"subject": "Your email has been changed!"
},
"nextStep": "complete",
"type": "action"
},
I could see those values ${Name} evaluated to "john.doe", but when I used that in email template it didnât populated the value⌠any thoughts?
"input": {
"body": {
"context": {
"Name": "john.doe",
"personalEmail": null
},
"emailTemplate": {
"body": "${Name}, Please note that your email address has been updated in our records",
"from": "[email protected]",
"replyTo": "[email protected]",
"subject": "Your email has been changed!"
}
My guess is that the personalEmail is part of the changes not the identity itself in the input. so your jsonpath needs to change to get the personalEmail from the changes instead of the identity.
so when this is for example a change on the lastname the input looks like this
"input": {
"_meta": {
"invocationId": "a4325ba......47d460d64",
"subscriptionId": "9775.....e36823ca37",
"triggerType": "FIRE_AND_FORGET"
},
"changes": [
{
"attribute": "triggerSnapshots",
"newValue": "{Rule=2c9180....291b}",
"oldValue": "{Rule=2c91.....d515526a14a1f}"
},
{
"attribute": "lastname",
"newValue": "Yoda-sRs4i75s4s",
"oldValue": "Yoda-sRsd44i75s4s"
}
],
"identity": {
"id": "2c91808873.......f1544bb1",
"name": "yoda",
"type": "IDENTITY"
}
}
Then the jsonpath should be $.changes[?(@.attribute==âlastnameâ)].newValue
in my example above to get the changed lastname
The identity only has ID, Name and Type.
hope it helps.
Thanks Tom,
I got a working sample now.
Just a follow up question, Is there a way to get the accounts for an identity? I would like to make a workflow that only sends an email when a identity has a particular account on a source.
Cheers and many thanks!
Vincent
Hi Team - Is there a way to use multiple âcompare stringsâ to TRUE output to a âcreate Certificationâ input ? If I want to generate a cert campaign while any 1 of multiple Identity Attribute changes [department /cost center / manager / devision etc] do I have to have multiple workflows for each ? Or is there any way to manage ALL the Identity attribute changes in one workflow ?
Hi,
There is no facility to check multiple conditions at the same time. We did the same requirement in the same way you presented, keep checking for next attribute when previous condition is true.
Thanks,
VK.
Thanks VK , I was wondering if the below may work :
$.changes[?(@.attribute in [âdepartmentâ, âmanagerâ])] and then somehow count or get a TRUE / FALSE response to compare the value 2 in compare string ⌠But it seems the way is to check individually and use multiple createCertification action. Thanks again âŚ
Hi Sauvee,
Could you please share the workflow with a successful Get Identity, i have used $.identity.id to get the identity to be used in the next steps to create the certification campaigns during the attribute change.
My trigger working find when i changed the manager value of a user but the workflow is not fetching the exact identity which should be certified and the campaign is getting created with no user and the created campaign is automatically getting completed.
Thanks,
Ashok
From initial analysis it appears that workflow is an extension of existing API framework. Does this mean the triggers that are currently not available via API cannot be leveraged in workflow? Please confirm
e.g. Weâve a use case where we want to read failed de-provisioning event to trigger an email.
Any help will be appreciated!
You can leverage the search API to retrieve the failed events you want to see.
Search API didnât yield any result despite thereâre quite thereâre quite a few provisioning failures in UI under AdminUI âIdentities â> Activities. API call status was 200.
Nonetheless, Is there a trigger (workflow) that can be utilized to create workflow for notifications or perhaps retry to de-provision (failed due to rate limits)?
Hi,
I am trying to test a workflow with action âCreate Access Requestâ
When testing , I get âerrorâ: âoutput was not a valid mapâ .
Can anybody help with the step to test.
Note: I have updated my Id to test in test input in identity object
@Mahak14, there is a known bug in the Workflows UI that prevents users from creating an access request. Please see Access Request Workflow for information on how to overcome this until we fix the UI component.
output.txt (2.9 KB)
workflow.txt (919 Bytes)
Hi,
Tried changing the json of the workflow, still getting the same error.
I have attached the workflow and output for reference. Can you please look once.
@Mahak14 , Your Create Request for Access is as follows:
"Create Request for Access": {
"actionId": "sp:create-approval-request",
"attributes": {
"identities": {
"id": "2c9180877e*********************"
},
"requestedItems": [
{
"id": "2c918086759540****************",
"type": "ROLE"
}
]
},
"description": null,
"nextStep": "success",
"selectInput": null,
"selectResult": null,
"type": "action"
},
It should be this:
"Create Request for Access": {
"actionId": "sp:create-approval-request",
"attributes": {
"identities.$": ["2c918086759540****************"], <-- This line changed
"requestedItems": [
{
"id": "2c918086759540****************",
"type": "ROLE"
}
]
},
"description": null,
"nextStep": "success",
"selectInput": null,
"selectResult": null,
"type": "action"
},
However it may be more useful to use a JSONpath that references the identity in the trigger payload.
```json
"Create Request for Access": {
"actionId": "sp:create-approval-request",
"attributes": {
"identities.$": ["$.identity.id"],
"requestedItems": [
{
"id": "2c918086759540****************",
"type": "ROLE"
}
]
},
"description": null,
"nextStep": "success",
"selectInput": null,
"selectResult": null,
"type": "action"
},
How can i request access to workflows in my tenants? the form above is deactivated