diff --git a/workflows/access-request-for-account-management/RequestHandler-ManageAccounts.json b/workflows/access-request-for-account-management/RequestHandler-ManageAccounts.json new file mode 100644 index 0000000..44b3409 --- /dev/null +++ b/workflows/access-request-for-account-management/RequestHandler-ManageAccounts.json @@ -0,0 +1,198 @@ +{ + "name": "Request Handler - Manage Accounts", + "description": "This workflow helps in enabling users request for disablement/enablement of an account which has appropriate IdentitySecurity Cloud role created. \n\nISC Role Format is expected as \"-Enable Account\" for enable operation and \"-Disable Account\" for disable operation \n\nOnce the account is enabled/disabled, the respective ISC role is also revoked which can make users request the same role again in future when needed.", + "definition": { + "start": "Define Variable", + "steps": { + "Define Variable": { + "attributes": { + "id": "sp:define-variable", + "variables": [ + { + "description": "Name of the requested role", + "name": "roleName", + "transforms": [], + "variableA.$": "$.trigger.requestedItemsStatus[0].name" + } + ] + }, + "displayName": "Get Role Name", + "nextStep": "Define Variable 1", + "type": "Mutation" + }, + "Define Variable 1": { + "attributes": { + "id": "sp:define-variable", + "variables": [ + { + "description": "", + "name": "indexOfSeparation", + "transforms": [ + { + "id": "sp:transform:getIndex:int", + "input": { + "pattern": "-" + } + } + ], + "variableA.$": "$.defineVariable.roleName" + } + ] + }, + "displayName": "Get Index", + "nextStep": "Define Variable 2", + "type": "Mutation" + }, + "Define Variable 2": { + "attributes": { + "id": "sp:define-variable", + "variables": [ + { + "description": "", + "name": "sourceName", + "transforms": [ + { + "id": "sp:transform:substring:string", + "input": { + "length.$": "$.defineVariable1.indexOfSeparation", + "start": 0 + } + } + ], + "variableA.$": "$.defineVariable.roleName" + } + ] + }, + "displayName": "Get Source Name", + "nextStep": "Get Accounts", + "type": "Mutation" + }, + "End Step - Success": { + "displayName": "", + "type": "success" + }, + "Get Accounts": { + "actionId": "sp:get-accounts", + "attributes": { + "getAccountsBy": "specificIdentity", + "identity.$": "$.trigger.requestedFor.id" + }, + "displayName": "", + "nextStep": "Loop", + "type": "action", + "versionNumber": 1 + }, + "Loop": { + "actionId": "sp:loop:iterator", + "attributes": { + "context.$": "$", + "input.$": "$.getAccounts.accounts[?(@.sourceName == \"{{$.defineVariable2.sourceName}}\")]", + "start": "Compare Strings", + "steps": { + "Compare Strings": { + "choiceList": [ + { + "comparator": "StringEndsWith", + "nextStep": "Manage Accounts", + "variableA.$": "$.loop.context.defineVariable.roleName", + "variableB": "Enable Account" + } + ], + "defaultStep": "Compare Strings 1", + "displayName": "Verify Operation Type", + "type": "choice" + }, + "Compare Strings 1": { + "choiceList": [ + { + "comparator": "StringEndsWith", + "nextStep": "Manage Accounts 1", + "variableA.$": "$.loop.context.defineVariable.roleName", + "variableB": "Disable Account" + } + ], + "defaultStep": "End Step - Failure", + "displayName": "Verify Operation Type", + "type": "choice" + }, + "End Step - Failure": { + "displayName": "", + "failureName": "No operation matched", + "type": "failure" + }, + "End Step - Success 1": { + "displayName": "", + "type": "success" + }, + "Get Access": { + "actionId": "sp:access:get", + "attributes": { + "accessprofiles": false, + "entitlements": false, + "getAccessBy": "searchQuery", + "identityToReturn.$": "$.trigger.requestedFor.id", + "query": "name.exact:\"{{$.loop.context.defineVariable.roleName}}\"", + "roles": true + }, + "description": "Get user Access", + "displayName": "Get Role Object", + "nextStep": "Manage Access", + "type": "action", + "versionNumber": 1 + }, + "Manage Access": { + "actionId": "sp:access:manage", + "attributes": { + "comments": "Removal of the temporary role after disabling the account", + "removeIdentity.$": "$.loop.context.trigger.requestedFor.id", + "requestType": "REVOKE_ACCESS", + "requestedItems.$": "$.getAccess.accessItems[0]" + }, + "description": "", + "displayName": "Revoke Temporary Role", + "nextStep": "End Step - Success 1", + "type": "action", + "versionNumber": 1 + }, + "Manage Accounts": { + "actionId": "sp:manage-account", + "attributes": { + "accountIds.$": "$.loop.loopInput.id", + "operation": "enable" + }, + "description": "Enabling application account as per IDN role requested", + "displayName": "Enable Account", + "nextStep": "Get Access", + "type": "action", + "versionNumber": 1 + }, + "Manage Accounts 1": { + "actionId": "sp:manage-account", + "attributes": { + "accountIds.$": "$.loop.loopInput.id", + "operation": "disable" + }, + "description": "Disabling application account as per IDN role requested", + "displayName": "Disable Account", + "nextStep": "Get Access", + "type": "action", + "versionNumber": 1 + } + } + }, + "description": "To loop around the relevant accounts for disable/enable action", + "displayName": "", + "nextStep": "End Step - Success", + "type": "action", + "versionNumber": 1 + } + } + }, + "trigger": { + "type": "EVENT", + "attributes": { + "filter.$": "$.requestedItemsStatus[?(@.type == \"ROLE\" && @.operation == \"Add\" && (@.name =~ /.*-Disable Account/ || @.name =~ /.*-Enable Account/) && (@.approvalInfo.length() == 0 || (@.approvalInfo[0].approvalDecision == \"APPROVED\" && @.approvalInfo[-1].approvalDecision == \"APPROVED\")))].name", + "id": "idn:access-request-post-approval" + } + } +}