Skip to content

Commit

Permalink
Merge pull request #1 from uday-kilambi/uday-kilambi-accessrequest-ma…
Browse files Browse the repository at this point in the history 
…nageaccounts

Workflow | Feature to request for account management
  • Loading branch information
@uday-kilambi
uday-kilambi authored Jun 25, 2024
2 parents ab8e48e + 2734191 commit 688fed6
Showing 1 changed file with 198 additions and 0 deletions.
198 changes: 198 additions & 0 deletions workflows/access-request-for-account-management/RequestHandler-ManageAccounts.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,198 @@
{
"name": "Request Handler - Manage Accounts",
"description": "This workflow helps in enabling users request for disablement/enablement of an account which has appropriate IdentitySecurity Cloud role created. \n\nISC Role Format is expected as \"<Application Name>-Enable Account\" for enable operation and \"<Application Name>-Disable Account\" for disable operation \n\nOnce the account is enabled/disabled, the respective ISC role is also revoked which can make users request the same role again in future when needed.",
"definition": {
"start": "Define Variable",
"steps": {
"Define Variable": {
"attributes": {
"id": "sp:define-variable",
"variables": [
{
"description": "Name of the requested role",
"name": "roleName",
"transforms": [],
"variableA.$": "$.trigger.requestedItemsStatus[0].name"
}
]
},
"displayName": "Get Role Name",
"nextStep": "Define Variable 1",
"type": "Mutation"
},
"Define Variable 1": {
"attributes": {
"id": "sp:define-variable",
"variables": [
{
"description": "",
"name": "indexOfSeparation",
"transforms": [
{
"id": "sp:transform:getIndex:int",
"input": {
"pattern": "-"
}
}
],
"variableA.$": "$.defineVariable.roleName"
}
]
},
"displayName": "Get Index",
"nextStep": "Define Variable 2",
"type": "Mutation"
},
"Define Variable 2": {
"attributes": {
"id": "sp:define-variable",
"variables": [
{
"description": "",
"name": "sourceName",
"transforms": [
{
"id": "sp:transform:substring:string",
"input": {
"length.$": "$.defineVariable1.indexOfSeparation",
"start": 0
}
}
],
"variableA.$": "$.defineVariable.roleName"
}
]
},
"displayName": "Get Source Name",
"nextStep": "Get Accounts",
"type": "Mutation"
},
"End Step - Success": {
"displayName": "",
"type": "success"
},
"Get Accounts": {
"actionId": "sp:get-accounts",
"attributes": {
"getAccountsBy": "specificIdentity",
"identity.$": "$.trigger.requestedFor.id"
},
"displayName": "",
"nextStep": "Loop",
"type": "action",
"versionNumber": 1
},
"Loop": {
"actionId": "sp:loop:iterator",
"attributes": {
"context.$": "$",
"input.$": "$.getAccounts.accounts[?(@.sourceName == \"{{$.defineVariable2.sourceName}}\")]",
"start": "Compare Strings",
"steps": {
"Compare Strings": {
"choiceList": [
{
"comparator": "StringEndsWith",
"nextStep": "Manage Accounts",
"variableA.$": "$.loop.context.defineVariable.roleName",
"variableB": "Enable Account"
}
],
"defaultStep": "Compare Strings 1",
"displayName": "Verify Operation Type",
"type": "choice"
},
"Compare Strings 1": {
"choiceList": [
{
"comparator": "StringEndsWith",
"nextStep": "Manage Accounts 1",
"variableA.$": "$.loop.context.defineVariable.roleName",
"variableB": "Disable Account"
}
],
"defaultStep": "End Step - Failure",
"displayName": "Verify Operation Type",
"type": "choice"
},
"End Step - Failure": {
"displayName": "",
"failureName": "No operation matched",
"type": "failure"
},
"End Step - Success 1": {
"displayName": "",
"type": "success"
},
"Get Access": {
"actionId": "sp:access:get",
"attributes": {
"accessprofiles": false,
"entitlements": false,
"getAccessBy": "searchQuery",
"identityToReturn.$": "$.trigger.requestedFor.id",
"query": "name.exact:\"{{$.loop.context.defineVariable.roleName}}\"",
"roles": true
},
"description": "Get user Access",
"displayName": "Get Role Object",
"nextStep": "Manage Access",
"type": "action",
"versionNumber": 1
},
"Manage Access": {
"actionId": "sp:access:manage",
"attributes": {
"comments": "Removal of the temporary role after disabling the account",
"removeIdentity.$": "$.loop.context.trigger.requestedFor.id",
"requestType": "REVOKE_ACCESS",
"requestedItems.$": "$.getAccess.accessItems[0]"
},
"description": "",
"displayName": "Revoke Temporary Role",
"nextStep": "End Step - Success 1",
"type": "action",
"versionNumber": 1
},
"Manage Accounts": {
"actionId": "sp:manage-account",
"attributes": {
"accountIds.$": "$.loop.loopInput.id",
"operation": "enable"
},
"description": "Enabling application account as per IDN role requested",
"displayName": "Enable Account",
"nextStep": "Get Access",
"type": "action",
"versionNumber": 1
},
"Manage Accounts 1": {
"actionId": "sp:manage-account",
"attributes": {
"accountIds.$": "$.loop.loopInput.id",
"operation": "disable"
},
"description": "Disabling application account as per IDN role requested",
"displayName": "Disable Account",
"nextStep": "Get Access",
"type": "action",
"versionNumber": 1
}
}
},
"description": "To loop around the relevant accounts for disable/enable action",
"displayName": "",
"nextStep": "End Step - Success",
"type": "action",
"versionNumber": 1
}
}
},
"trigger": {
"type": "EVENT",
"attributes": {
"filter.$": "$.requestedItemsStatus[?(@.type == \"ROLE\" && @.operation == \"Add\" && (@.name =~ /.*-Disable Account/ || @.name =~ /.*-Enable Account/) && (@.approvalInfo.length() == 0 || (@.approvalInfo[0].approvalDecision == \"APPROVED\" && @.approvalInfo[-1].approvalDecision == \"APPROVED\")))].name",
"id": "idn:access-request-post-approval"
}
}
}

0 comments on commit 688fed6

Please sign in to comment.