# Provisioning Action Completed Trigger

The Provisioning Action Completed event trigger notifies specified individuals when the action is completed. This event trigger provides a flexible way to extend the Provisioning workflow after access has changed for an identity within SailPoint. This provides more proactive governance and ensure users can quickly obtain needed access.

Flow

When an account in a target application is provisioned, this trigger can:

  • Notify the requester that the access request has been fulfilled.
  • Notify an application user and/or access certifier that access has been revoked.
  • Notify an administrator or system that provisioning has been completed.
  • Notify a third party system to trigger another action (e.g. continue additional provisioning actions) or simply for auditing of provisioning activities.

# Getting Started

# Prerequisites

  • An oAuth Client configured with authority as ORG_ADMIN.
  • An org enabled with the ARSENAL_ALLOW_POSTPROVISIONING_TRIGGERS feature flag.
  • Configure connectors for Provisioning into target applications.
  • An org configured for automated Provisioning. See Event Context section for specific setup.

# In This Topic


# Event Context

In order to provision to a target application, the connector for the source needs to support the following connector features:

  • ENABLE - Can enable or disable an account.
  • UNLOCK - Can lock or unlock an account.
  • PROVISIONING - Can write to accounts. Currently, the trigger does not include attribute synchronization.
  • PASSWORD - Can update password for account

For a list of supported connectors and features, see Supported Connectors for IdentityNow (opens new window).

For information about configuring sources for provisioning, see How can I edit the Create Profile on a source? (opens new window).

Provisioning events occur in these workflows:

Use the following command to view the trigger details:

curl --request GET --url 'https://{tenant}.api.identitynow.com/beta/triggers' --header 'authorization: Bearer {access_token}'

Note: If you don't see this trigger in Identity Now or through the above API call, you will need to contact SailPoint to have us enable it in your tenant.


# Access Request

When an Access Request approval process has completed with all positive approvals, the access request is fulfilled with provisioning to the target application with requested access.

Flow

Access acquired through a role request can also be revoked and those changes can be provisioned to an account.

The following steps need to be completed:

  • Source Connector configured for PROVISIONING. Access Request in SailPoint SaaS currently does not support ACCOUNT_ONLY_REQUEST or ADDITIONAL_ACCOUNT_REQUEST.
  • Source Entitlements mapped in Account Schema.
  • Access Profile using Source Entitlements. Role setup is optional.
  • Application enabled for Access Request.

NOTE: There is no indication to the approver in the IdentityNow UI that the approval is for a revoke action. This must be considered for all usage of these APIs.

Flow

# Certification

To provision removal of accounts acquired through Access Request is through Certifications.

Note: Certifications cannot revoke access acquired via Role Membership or Lifecycle Changes.

Flow

# Role membership

Access defined in access profiles can be grouped into Roles and Roles can be assigned to identities using COMPLEX_CRITERION or IDENTITY_LIST. For information on how to set COMPLEX_CRITERION, see Admin UI (opens new window)

Note: Using CUSTOM Role Membership through Rules is no longer supported.

Additionally, roles can be mapped from an authoritative source.

Flow

# Lifecycle Management

This trigger will fire when an account has been provisioned, enabled, or disabled.

Flow

To provision access with lifecycle states, the following steps must be completed:

  • Source Connector configured for ENABLE to enable/disable accounts and/or PROVISIONING to create/update/delete accounts.
  • Source Entitlements mapped from Authoritative Source
  • Source Entitlements mapped to Access Profiles
  • Identity Profile using authoritative source
  • Lifecycle states configured. To set up, follow this [guide].

# Password Management

Password changes can be provisioned to target applications through password reset or password interception. Also, unlocking of accounts can be provisioned via password change within SailPoint SaaS.

For password management setup, you will need to configure:

  • Source Connector configured for PASSWORD for password changes and/or UNLOCK for unlocking changes.
  • Password Sync Group

# Trigger Type

This event trigger is a FIRE_AND_FORGET type. When you subscribe to this event trigger with your HTTP endpoint, a response is not expected to be returned.

# Input Schema

The input schema defines what you will receive to your subscription. Here is input example provided by the trigger:

{
    "requester": {
        "id": "2c91808b6ef1d43e016efba0ce470906",
        "name": "Adam Admin",
        "type": "IDENTITY"
    },
    "sources": "Corp AD, Corp LDAP, Corp Salesforce",
    "warnings": [
        "Notification Skipped due to invalid email"
    ],
    "recipient": {
        "id": "2c91808b6ef1d43e016efba0ce470909",
        "name": "Ed Engineer",
        "type": "IDENTITY"
    },
    "action": "IdentityRefresh",
    "accountRequests": [
        {
            "source": {
                "id": "4e4d982dddff4267ab12f0f1e72b5a6d",
                "name": "Corporate Active Directory",
                "type": "SOURCE"
            },
            "accountId": "CN=Chewy.Bacca,ou=hardcorefigter,ou=wookies,dc=starwars,dc=com",
            "accountOperation": "Modify",
            "provisioningResult": "SUCCESS",
            "provisioningTarget": "Corp AD",
            "ticketId": "72619262",
            "attributeRequests": [
                {
                    "operation": "Add",
                    "attributeName": "memberOf",
                    "attributeValue": "CN=jedi,DC=starwars,DC=com"
                }
            ]
        }
    ],
    "trackingNumber": "4b4d982dddff4267ab12f0f1e72b5a6d",
    "errors": [
        "General Error",
        "Connector AD Failed"
    ]
}
  • requester - Reference to the identity (if any) who submitted the provisioning request.
  • recipient - Reference to the identity who is the target of the provisioning request.
  • action - Origin of where the provisioning request came from.
  • trackingNumber - The reference number of the provisioning request. Useful for tracking status in the Account Activity search interface.
  • warnings - A list of any accumulated warning messages that occurred during provisioning.
  • errors - A list of any accumulated warning messages that occurred during provisioning.
  • sources - These are one or more sources that the provisioning transaction(s) were done against.
  • accountRequests - A list of provisioning instructions to perform on an account-by-account basis.
    • source - Reference to the source being provisioned against.
    • accountId - The unique idenfier of the account being provisioned.
    • accountOperation - The provisioning operation; typically Create, Modify, Enable, Disable, Unlock, or Delete
    • provisioningResult - The overall result of the provisioning transaction; this could be success, pending, failed, etc.
    • provisioningTarget - The name of the provisioning channel selected; this could be the same as the source, or could be a Service Desk Integration Module (SDIM).
    • ticketId - A reference to a tracking number, if this is sent to a Service Desk Integration Module (SDIM).
    • attributeRequests - A list of attributes as part of the provisioning transaction.
      • operation - The operation to handle the attribute. These can be Add, Set, or Remove.
      • attributeName - The name of the attribute being provisioned.
      • attributeValue - The value of the attribute being provisioned.

# Common Filters

Use Case Filter
Successful Provisioning $.accountRequests[?(@.provisioningResult == "SUCCESS")]
Unsuccessful Provisioning $.accountRequests[?(@.provisioningResult != "SUCCESS")]

# Subscribe to the Trigger

To subscribe to this trigger, make a POST call to /beta/trigger-subscriptions with the following headers and body:

Headers:

  • Authorization: Bearer <access_token>

Body:

{
   "triggerId":"idn:post-provisioning",
   "type":"HTTP",
   "httpConfig":{
      "url":"https://urlOfTheExternalService.com",
   }
}

# Testing Tools

  • webhook.site (opens new window) - This tool creates a temporary HTTP endpoint for you to verify that you are able to successfully subscribe to the Event Trigger. You can receive the event after an access request has been submitted. Copy the "unique URL" from webhook.site and use it in the url field of the POST body to /beta/trigger-subscriptions.
  • localhost.run - This tool creates an endpoint for a HTTP server running on your local machine.