generated from sailpoint-oss/colab-repo-template
-
Notifications
You must be signed in to change notification settings - Fork 6
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #14 from uday-kilambi/main
Workflow | Feature to request for account management
- Loading branch information
Showing
1 changed file
with
198 additions
and
0 deletions.
There are no files selected for viewing
198 changes: 198 additions & 0 deletions
198
workflows/access-request-for-account-management/RequestHandler-ManageAccounts.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,198 @@ | ||
{ | ||
"name": "Request Handler - Manage Accounts", | ||
"description": "This workflow helps in enabling users request for disablement/enablement of an account which has appropriate IdentitySecurity Cloud role created. \n\nISC Role Format is expected as \"<Application Name>-Enable Account\" for enable operation and \"<Application Name>-Disable Account\" for disable operation \n\nOnce the account is enabled/disabled, the respective ISC role is also revoked which can make users request the same role again in future when needed.", | ||
"definition": { | ||
"start": "Define Variable", | ||
"steps": { | ||
"Define Variable": { | ||
"attributes": { | ||
"id": "sp:define-variable", | ||
"variables": [ | ||
{ | ||
"description": "Name of the requested role", | ||
"name": "roleName", | ||
"transforms": [], | ||
"variableA.$": "$.trigger.requestedItemsStatus[0].name" | ||
} | ||
] | ||
}, | ||
"displayName": "Get Role Name", | ||
"nextStep": "Define Variable 1", | ||
"type": "Mutation" | ||
}, | ||
"Define Variable 1": { | ||
"attributes": { | ||
"id": "sp:define-variable", | ||
"variables": [ | ||
{ | ||
"description": "", | ||
"name": "indexOfSeparation", | ||
"transforms": [ | ||
{ | ||
"id": "sp:transform:getIndex:int", | ||
"input": { | ||
"pattern": "-" | ||
} | ||
} | ||
], | ||
"variableA.$": "$.defineVariable.roleName" | ||
} | ||
] | ||
}, | ||
"displayName": "Get Index", | ||
"nextStep": "Define Variable 2", | ||
"type": "Mutation" | ||
}, | ||
"Define Variable 2": { | ||
"attributes": { | ||
"id": "sp:define-variable", | ||
"variables": [ | ||
{ | ||
"description": "", | ||
"name": "sourceName", | ||
"transforms": [ | ||
{ | ||
"id": "sp:transform:substring:string", | ||
"input": { | ||
"length.$": "$.defineVariable1.indexOfSeparation", | ||
"start": 0 | ||
} | ||
} | ||
], | ||
"variableA.$": "$.defineVariable.roleName" | ||
} | ||
] | ||
}, | ||
"displayName": "Get Source Name", | ||
"nextStep": "Get Accounts", | ||
"type": "Mutation" | ||
}, | ||
"End Step - Success": { | ||
"displayName": "", | ||
"type": "success" | ||
}, | ||
"Get Accounts": { | ||
"actionId": "sp:get-accounts", | ||
"attributes": { | ||
"getAccountsBy": "specificIdentity", | ||
"identity.$": "$.trigger.requestedFor.id" | ||
}, | ||
"displayName": "", | ||
"nextStep": "Loop", | ||
"type": "action", | ||
"versionNumber": 1 | ||
}, | ||
"Loop": { | ||
"actionId": "sp:loop:iterator", | ||
"attributes": { | ||
"context.$": "$", | ||
"input.$": "$.getAccounts.accounts[?(@.sourceName == \"{{$.defineVariable2.sourceName}}\")]", | ||
"start": "Compare Strings", | ||
"steps": { | ||
"Compare Strings": { | ||
"choiceList": [ | ||
{ | ||
"comparator": "StringEndsWith", | ||
"nextStep": "Manage Accounts", | ||
"variableA.$": "$.loop.context.defineVariable.roleName", | ||
"variableB": "Enable Account" | ||
} | ||
], | ||
"defaultStep": "Compare Strings 1", | ||
"displayName": "Verify Operation Type", | ||
"type": "choice" | ||
}, | ||
"Compare Strings 1": { | ||
"choiceList": [ | ||
{ | ||
"comparator": "StringEndsWith", | ||
"nextStep": "Manage Accounts 1", | ||
"variableA.$": "$.loop.context.defineVariable.roleName", | ||
"variableB": "Disable Account" | ||
} | ||
], | ||
"defaultStep": "End Step - Failure", | ||
"displayName": "Verify Operation Type", | ||
"type": "choice" | ||
}, | ||
"End Step - Failure": { | ||
"displayName": "", | ||
"failureName": "No operation matched", | ||
"type": "failure" | ||
}, | ||
"End Step - Success 1": { | ||
"displayName": "", | ||
"type": "success" | ||
}, | ||
"Get Access": { | ||
"actionId": "sp:access:get", | ||
"attributes": { | ||
"accessprofiles": false, | ||
"entitlements": false, | ||
"getAccessBy": "searchQuery", | ||
"identityToReturn.$": "$.trigger.requestedFor.id", | ||
"query": "name.exact:\"{{$.loop.context.defineVariable.roleName}}\"", | ||
"roles": true | ||
}, | ||
"description": "Get user Access", | ||
"displayName": "Get Role Object", | ||
"nextStep": "Manage Access", | ||
"type": "action", | ||
"versionNumber": 1 | ||
}, | ||
"Manage Access": { | ||
"actionId": "sp:access:manage", | ||
"attributes": { | ||
"comments": "Removal of the temporary role after disabling the account", | ||
"removeIdentity.$": "$.loop.context.trigger.requestedFor.id", | ||
"requestType": "REVOKE_ACCESS", | ||
"requestedItems.$": "$.getAccess.accessItems[0]" | ||
}, | ||
"description": "", | ||
"displayName": "Revoke Temporary Role", | ||
"nextStep": "End Step - Success 1", | ||
"type": "action", | ||
"versionNumber": 1 | ||
}, | ||
"Manage Accounts": { | ||
"actionId": "sp:manage-account", | ||
"attributes": { | ||
"accountIds.$": "$.loop.loopInput.id", | ||
"operation": "enable" | ||
}, | ||
"description": "Enabling application account as per IDN role requested", | ||
"displayName": "Enable Account", | ||
"nextStep": "Get Access", | ||
"type": "action", | ||
"versionNumber": 1 | ||
}, | ||
"Manage Accounts 1": { | ||
"actionId": "sp:manage-account", | ||
"attributes": { | ||
"accountIds.$": "$.loop.loopInput.id", | ||
"operation": "disable" | ||
}, | ||
"description": "Disabling application account as per IDN role requested", | ||
"displayName": "Disable Account", | ||
"nextStep": "Get Access", | ||
"type": "action", | ||
"versionNumber": 1 | ||
} | ||
} | ||
}, | ||
"description": "To loop around the relevant accounts for disable/enable action", | ||
"displayName": "", | ||
"nextStep": "End Step - Success", | ||
"type": "action", | ||
"versionNumber": 1 | ||
} | ||
} | ||
}, | ||
"trigger": { | ||
"type": "EVENT", | ||
"attributes": { | ||
"filter.$": "$.requestedItemsStatus[?(@.type == \"ROLE\" && @.operation == \"Add\" && (@.name =~ /.*-Disable Account/ || @.name =~ /.*-Enable Account/) && (@.approvalInfo.length() == 0 || (@.approvalInfo[0].approvalDecision == \"APPROVED\" && @.approvalInfo[-1].approvalDecision == \"APPROVED\")))].name", | ||
"id": "idn:access-request-post-approval" | ||
} | ||
} | ||
} |