We have three applications in our case where we have like 100 roles (20-30 for each application)…So in get access search query I need to mention all the role id’s.?
It would be really helpful if you could answer this doubt…
Thanks
Welcome to the developer community Siva.
When you say applications, are you referring to Apps or something else? I just need to clarify this because I don’t think you can assign roles to an app, only access profiles.
Sorry I wrote it as applications which I mean sources in IDN.
So we have 3 sources in IDN form which we have like 100 access profiles which are linked to 100 roles.
On user termination we want the roles to be removed…if the user have them.
Do you want to remove all roles for a terminated user? That’s pretty straightforward.
1 Like
We need to remove specific roles that user has not all the roles.
Current limitation of workflows is missing for loop. Seems like product team is adding more operations which are kind of bulk operations and no sign of adding powerful for loop.
As a customer I would like to control/filter what accounts/role we want to disable/remove instead of calling bulk disable/removal. This is missing from current functionality of workflows.
1 Like
Any update on this.? We want to remove specific roles on user termination.
Thanks
Is there any way to link these roles to their source by their name, owner, or access profiles? I ask because roles don’t say what source they belong to because they can contain access profiles from different sources. If your roles are named in such a way as to hint at what source they belong to, then this can help with crafting a search query. For example, if your source is active directory and all of your roles related to active directory start with “AD”, then we can craft a query to get all roles for that source.
If not, then the only feasible way to do this is by hardcoding each role name or ID into the search query, which can become out of date as you add/change/delete roles.
@colin_mckibben Yes, we have three sources where we have roles for and for each role we have a naming convention which starts with source name.
Ex : AD_Ent likewise.
Please let me know on the query that we can have.
Thanks
Try configuring your “Get Access” action like so:
Use as many “OR” operators as you need to encompass all of the sources you need.
Is there any way to keep a wait step until the standard criteria roles are removed from the Identity before “Get Access” step.? / Can we add a step Identity Refresh before we “Get Access”(roles) from the Identity.? / Any way to avoid the standard criteria roles in the “Get Access” step.?
In our case the trigger for the workflow that we are using is identity attribute change to inactive. We have few standard criteria roles which will be removed when the user is inactive(Based on the criteria). But the problem is before it removes the standard criteria roles workflow is getting triggered and at the “Get Access” step it is getting the standard cerita roles also also with the requested roles and when it moves to “Manage Access” step it gives this error below and the execution of the workflow fails.
“{”“displayName”“:”“Manage Access”“,”“error”“:”“request failed: 400 - 400 Bad Request: Required field "“requestedItems"” was missing or empty. (type: HTTP Response Returned a Client Error, retryable: false): request failed: 400 - 400 Bad Request”“,”“stepName”“:”“manageAccess”“,”“task”“:”“sp:access:manage”“}”
WorkflowExecutionFailed,“2023-01-31T10:51:53.03604431Z”,“{”“error”“:”“actionStep(Manage Access) Err: task failed: activity error (type: sp:access:manage, scheduledEventID: 50, startedEventID: 51, identity: 1@ce25fa849d02@): request failed: 400 - 400 Bad Request: Required field "“requestedItems"” was missing or empty. (type: HTTP Response Returned a Client Error, retryable: false): request failed: 400 - 400 Bad Request (type: HTTP Response Returned a Client Error, retryable: false): request failed: 400 - 400 Bad Request: Required field "“requestedItems"” was missing or empty. (type: HTTP Response Returned a Client Error, retryable: false): request failed: 400 - 400 Bad Request”“}”
Can you please help me on this.? How can we handle this issue.?
1 Like
HI Colin,
As a part of user suspension we have to remove all the entitlements for certain sources, so we are trying to achieve that by configuring Workflow. In “Get Access” Action we have selected “Entitlements” and in Search Query we have been using - source.name:
This is not working as expected and not removing all the entitlements of the particular source mentioned in search query. Are we missing anything here?
Regards
Aditi
@amajumdar1 I see you have a topic open for this already. Let’s move the conversation to this topic: Workflow - Remove Entitlements from selected source - #4 by sharvari_shah
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.