Workflows Manage Access 403 Error when Revoking Access

Identity Security Cloud (ISC) ISC Discussion and Questions
1

I’m having similar issues with the Manage Access action on WFs too. My JSON path is $.getAccess.accessItems

image
image1027×565 38.1 KB

Unfortunately the Get Access Items endpoint seems to return the user’s AD containers as entitlements as well, but they are missing IDs
image
image1441×515 42.2 KB

This fails the manage access action. This can be worked around if one uses the following jsonpath filter: $.getAccess.accessItems[?(@.id != “”)] which does seem to get past the 400 error but then fails with a 403 instead:
{“error”:“actionStep(Manage Access) Error: task failed: activity error (type: sp:access:manage, scheduledEventID: 11, startedEventID: 12, identity: 1@4281fca15c41@): request failed: 403 - 403 Forbidden: The server understood the request but refuses to authorize it. (type: HTTP Response Returned a Client Error, retryable: false): request failed: 403 - 403 Forbidden (type: HTTP Response Returned a Client Error, retryable: false): request failed: 403 - 403 Forbidden: The server understood the request but refuses to authorize it. (type: HTTP Response Returned a Client Error, retryable: false): request failed: 403 - 403 Forbidden”}

image

2

Hi Rishabh,

You are receiving a 403 because the underlying API used by Manage Access is the create access request endpoint, which states that revocation for entitlements is currently not supported. Unfortunately, this isn’t something you would have known based on the information available in the UI or the Workflow docs. I’ll work with engineering to update the docs and the UI to make it clear that entitlements can’t be revoked.

Please note, however, that our product team looking into adding the ability to request revocation of entitlements in the API, so it will be supported at some point.

3

The docs team has updated the documentation for Manage Access with a note that entitlements can’t be revoked. Also, the UI team has coded a better error message in the event that Manage Access tries to revoke entitlements, so it should be clearer in the future if anyone encounters this situation.

1 Like