Workflows: Getting Started and Advanced

Presenters: @colin_mckibben

Here is the workflow definition for the loop that I built.
WorkflowsLoop20230309.json (3.2 KB)

And here are my presentation notes:

INTRODUCTION

Welcome everyone. My name is Colin McKibben, and I am Lead Developer Advocate at SailPoint. In this session I’m going to give you a guided tour of the Workflows UI as well as demonstrate advanced workflow features that will help you better understand the capabilities of workflows and the kinds of use cases it can solve for your organization. The workflows that I will be building for this demonstration probably won’t have any real world use case, but they will serve as a means to explain some of the more advanced capabilities of the workflows engine.

Navigating to the workflow page (2 minutes)

If you have workflows enabled in your org, then you will find the workflow editor under Admin → Workflows.

  • Describe each column in the table
  • Click on a workflow for additional information.
  • Explain execution history and how to download them.
  • How to download a workflow script. Why you would want to do this.
  • Enable/disable workflow. Can only edit a disabled workflow.
  • Provide feedback

Creating a workflow

There are three ways to create a workflow. Using an out of the box template, uploading a workflow script, or creating a brand new workflow from scratch.

From scratch (12 minutes)

  • Select “New Workflow” → “Build a New Workflow”
  • Give it a name and description
  • A workflow must start with a trigger, followed by one or more actions and operators.
  • Demonstrate a simple identity attributes changed → get identity → email → end.
  • Demonstrate how to test the workflow. Show what a success and a failure looks like, and how one might debug a failed workflow.

From template (2 minutes)

  • Select “New Workflow” → “Select a Template”
  • Select a template that suites your use case the closest
  • Name the workflow and provide a description
  • Edit the workflow as desired.

From script ( 2 minutes)

  • Select “New Workflow” → “Upload File’
  • Select the workflow file to upload.
  • Change the name, if desired
  • Modify the workflow as desired.

JSONpath

Workflows uses a language called JSONpath to aid the in the selection of data that can be used as input into actions and operators. JSONpath has a few implementations, with the most common one being Goessner. SailPoint, however, uses an implementation that is closer to Jayway, which offers a more robust set of filters and operators. This is an important distinction to remember when building and testing your JSONpath because many online JSONpath validators only support Goessner, which means you could be testing against the wrong implementation. I highly recommend you check out our trigger filter reference material in the developer portal to learn more about the operators that are available, along with a suitable online JSONpath validator.

Filtering Events | SailPoint Developer Community.

Trigger Filters

Most workflow triggers are based on the ETS triggers, which offer the ability to filter events so you only receive notifications for the events you are interested in. Trigger filtering is a powerful tool that can eliminate the need for complicated comparison operators in your workflow while simultaneously reducing the number of invocations your workflow receives. It is important to filter your events so you don’t run the risk of having too many workflow executions.

Example: Demonstrate how to filter Identity Attribute Changed event to check for a specific department change. Do this with ETS and webhook.site. Explain what would have happened if you didn’t have this filter.

NOTE: Trigger filters only work on live executions of the workflow. They will not be considered during a test run. This behavior may change in the future, though.

Comparisons (Start Workflow 1)

Comparison operators allow you to create branches in your workflow based on decisions that need to be made about data from previous steps. Each comparison operator works on a specific type of data, like a number, boolean, or string. It is important to select the right comparison operator for the data you are comparing.

Example: Use identity attributes changed and Get identity info and check if the manager exists. If no manager, use send email step below.

Inline Variables

Inline variables offer the ability to mix static text with variables in text fields.

Example: Send an email to the identity saying they don’t have a manager.

Loops

Loops allow you to perform a set of actions on each item in a list. The contents of a loop are like a sub-workflow, allowing you to use actions and operators to perform complicated processing actions for each item in the loop. Looping in workflows is performed asynchronously, meaning that the loop does not wait for an iteration to finish before moving on to the next iteration. It will kick off the series of actions in the loop for each item as quickly as possible. The advantage of this approach is that execution time is greatly reduced at the cost of a guaranteed order for when items are processed. It’s also important to note that there is currently a 100 item limit for loops.

Example: Send an email to each identity in a list

Running the tests

  • For the positive condition, use edard: 2c918083823c538c018245d81c3f7325
  • For the negative condition, use arya: a0b2cb237913404d92e217c2a683b4b9

External Trigger

Workflows provides a variety of triggers that will kick off a workflow based on some event that happened within IdentityNow. In some cases, you may want to trigger a workflow from some service outisde of IdentityNow. For example, you might want to trigger a workflow that submits an access request based on a ticket that was created in your helpdesk software. The External Trigger opens up workflows to any external application, greatly increasing the number of use cases that can be solved for.

Example: Kick off an external trigger from postman that supplies an identity ID and the target lifecycle state.

HTTP Action

The External Trigger provides the outside world a way into workflows, while the HTTP action provides workflows with a way to the outside world. The HTTP action allows you to create an HTTP request to call an API service. This is a powerful action that allows workflows to kick off processes or fetch data from other web services. Such use cases might be to send a Microsoft Teams notification instead of an email, or call an IdentityNow API that doesn’t have a corresponding Workflow Action.

Example: Call the search API using the provided search query

Running the tests

  • IdentityID: test.user 2c9180847e25f377017e2ae8cae4650b
  • Limit: 2

Scheduled Trigger

The scheduled trigger offers a way to execute a workflow on a set schedule, as opposed to responding to an event. The scheduled trigger offers a friendly UI to configure the schedule, but you can also use a CRON expression to fine tune your schedule. CRON expressions can’t be more frequent than hourly.

Examples of CRON expressions that can’t be done with the UI:

  • Run every hour at the 15 minute mark: 15 * * * *
  • Run At the bottom of the hour every 2 hours every week from Monday through Friday.: 0 */2 * * 1-5
  • Use https://crontab.guru/ for help.

Conclusion

That concludes this session on Workflows. If there’s one thing you take away from this session, it is that Workflows provides an easy way to extend IdentityNow beyond what you can do in the UI, and is a simple alternative to writing code to accomplish business goals. Be sure to check out the documentation at documentation.sailpoint.com, and head over to the developer community to connect with your peers to give and receive help with your workflow ideas.

It was really a nice video specially for beginners :slight_smile:

2 Likes