Workflow Actions
Each workflow action receives input from the data flow and performs an action in IdentityNow. The values you enter in the fields for each action help determine what is done and how. The result of each action, in JSON format, is added to the workflow's data flow.
The value for each field must be either a variable from a previous step or a static, fixed value. Select which format you'll be using for each field before entering the value and saving your workflow.
Every action has a name and an optional description field. The name of the action must be unique within the workflow so it can be used in Next steps and conditional logic. The workflow builder automatically generates the action name based on the action type.
Each action is allowed a period of time before it times out. If an action times out, the workflow fails.
Below, you can find a list of all actions currently available for workflows, as well as the unique fields and timeout period for each action. If a particular action adds any JSON to the workflow, a sample of that JSON is available.
Access Request Actions
Actions related to creating and managing access requests.
Approve Access Request
Approves an access request with the selected ID and leaves a comment.
| Field | Required? | Description |
|---|---|---|
| Access Request ID | Yes | The ID of the access request to approve. |
| Comment | Yes | Provide a comment to leave on the access request's approval. |
If you add this action to your workflow and you don't have the Access Request service, your workflow will fail. This step will time out if it takes longer than 90 seconds to complete.
Create Request for Access
Submits an access request for the selected list of users.
The Create Request for Access step has been replaced by the Manage Access step. To create an access request in a workflow, use the Manage Access step and select Add Access.
This step will time out if it takes longer than 90 seconds to complete.
Deny Access Request
Denies an access request by ID and leaves a comment.
| Field | Required? | Description |
|---|---|---|
| Access Request ID | Yes | The ID of the access request to deny. |
| Comment | Yes | Provide a comment to leave on the access request's denial. |
If you add this action to your workflow and you don't have the Access Request service, your workflow will fail. This step will time out if it takes longer than 90 seconds to complete.
Get Access Request Recommendations
Gets a list of the recommended access requests for the specified user.
| Field | Required? | Description |
|---|---|---|
| Get Access Request Recommendations | Yes | The ID of the identity for whom to retrieve access request recommendations. |
If you add this action to your workflow and you don't have the Access Request and Recommendations AI services, your workflow will fail.
This step will time out if it takes longer than 90 seconds to complete.
This action returns a JSON blob when it completes successfully.
Open "Get Access Request Recommendation" JSON Sample
Get Pending Access Requests
Gets up to 250 pending access requests.
| Field | Description |
|---|---|
| Reviewer | Select a reviewer. All access requests that list that identity as one of their reviewers will be returned. |
| Filter Results | Optionally apply additional filters using the Standard Collection Parameters. |
This step will time out if it takes longer than 1 minute to complete.
Open "Get Pending Access Requests" JSON Sample
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 | |
Request Access Removal
Requests the removal of one or more access items from a list of identities.
The Request Access Removal step has been replaced by the Manage Access step. To request access removal in a workflow, use the Manage Access step and select Remove Access.
This step will time out if it takes longer than 90 seconds to complete.
Certification Actions
Actions related to the creation or management of certification campaigns.
Activate Certification Campaign
Activates the certification campaign with the selected ID.
| Field | Required? | Description |
|---|---|---|
| Campaign ID | Yes | The ID of the campaign to activate. |
If you add this action to your workflow and you don't have the Certifications service, your workflow will fail. This step will time out if it takes longer than 2 hours to complete.
Create Certification Campaign
Creates a new certification campaign. The campaign must be activated separately.
| Field | Description |
|---|---|
| Campaign Name | The name of the campaign. |
| Campaign Description | A description of the campaign. |
| Reviewer Type | The type of reviewer to use for this campaign. If you select Manager, a certification is created for all identities in your site and each identity's manager will review their access. You can also choose Source Owner to certify all access for one or more sources. If you choose Individual or Governance Group, you can select a specific identity or group to review the access of one or more identities or access items. |
| Campaign Duration | The length of time the certification campaign should run. Choose a time period and then a unit. |
| AI Recommendations | Choose whether or not to include recommendations from the Access Recommendations service in this campaign. If you don't have this service, this field is disabled. |
| Email Notifications | Choose whether or not to send reminder emails associated with the campaign. |
| Start Campaign when Created | Choose whether or not to activate the campaign once it's created. If you disable this option, you must activate the campaign separately. |
| Undecided Access Items | Choose whether to maintain or automatically revoke undecided access items when the campaign ends. |
| If you selected Source Owner under Reviewer Type: | |
| Source IDs | Enter the IDs of all sources to include in the campaign. A single ID can be represented as a string. If including multiple IDs, enclose them in brackets and separate them with spaces. For example, [ID1 ID2 ID3] |
| If you selected Individual under Reviewer Type: | |
| Reviewer Identity | Select the identity that should be responsible for reviewing this certification. |
| Certification Type | Choose whether to use an identity certification to certify the access of one or more identities, or to use an access certification to certify whether each identity that has specific access items should have that access. |
| If you selected Access Certification in Certification Type under Individual: | |
| Access Type | Choose the type of access to be included in this campaign. |
| Access Filter | Choose whether to certify all access of the selected type or only specific access items. If you choose specific access items, use the Access Filter field to choose the IDs of access. You can also enter the ID values manually in a JSON array using this format: [“id1”, “id2”, “id3”] |
| If you selected Identity Certification in Certification Type under Individual: | |
| Identities to Certify | Select the identities to certify in the campaign. |
| If you selected Governance Group under Reviewer Type: | |
| Governance Group | Select a governance group to review this campaign. |
| Certification Type | Choose whether to use an identity certification to certify the access of one or more identities, or to use an access certification to certify whether each identity that has specific access items should have that access. |
| If you selected Access Certification in Certification Type under Governance Group: | |
| Access Type | Choose the type of access to be included in this campaign. |
| Access Filter | Choose whether to certify all access of the selected type or only specific access items. If you choose specific access items, use the Access Filter field to choose the IDs of access. You can also enter the ID values manually in a JSON array using this format: [“id1”, “id2”, “id3”] |
| If you selected Identity Certification in Certification Type under Governance Group: | |
| Identities to Certify | Select the identities to certify in the campaign. |
If you add this action to your workflow and you don't have the Certifications service, your workflow will fail. This step will time out if it takes longer than 36 hours to complete.
This action returns a JSON blob when it completes successfully.
Open "Create Certification Campaign" JSON Sample
Get Certification Campaign
Gets data about the specified certification campaign.
| Field | Required? | Description |
|---|---|---|
| Campaign ID | Yes | The ID of the campaign to get. |
If you add this action to your workflow and you don't have the Certifications service, your workflow will fail. This step will time out if it takes longer than 1 minute to complete.
This action returns a JSON blob when it completes successfully.
Open "Get Certification Campaign" JSON Sample
Form
The Form action assigns the selected form to the specified user with a set deadline. The user receives an email notification with a link to fill out the form. The workflow is paused until the user completes and submits the form.
Forms that are used by workflows can be configured to use data values from the workflow by defining required form inputs. Map workflow variables to these form inputs and the variables can use conditions to pre-populate fields as the default form values. When defined, those inputs become required fields in the workflow form action configuration.
| Field | Description |
|---|---|
| Description | Enter a description. |
| Form | Search or select a form from the dropdown list. You can search by name or description. |
| Form Inputs | If the selected form has any form inputs, they are displayed here as required fields. Map workflow variables to each of these form inputs to be used as values in the form. |
| Recipient | Select the IdentityNow user to fill out the form. |
| Notification Subject | Enter a subject line for the email notification. |
| Notification Body | Enter the text of the email notification. The link to the form is automatically added to the end of the notification body. |
| Form Submission Deadline | Select a deadline for how long the recipient has to complete the form. The maximum allowed time is 30 days or 720 hours. |
| Reminder Body | Enter the text of the reminder email notification. The link to the form is automatically added to the end of the notification body. |
| Form Submission Reminder | Select when to send a reminder notification if the form has not been submitted, up to 29 days or 696 hours. |
Get Access
Gets a set of access items held by a selected identity or found through a search query.This step returns a maximum of 250 access items and is often used in conjunction with the Manage Access step.
| Field | Description |
|---|---|
| Access Selection Method | Select how to determine the access that will be returned. Options are By Identity and By Search Query. |
| If you select By Identity: | |
| By Identity | Select an identity from the dropdown list, or use Choose Variable to select an identity from the input. |
| If you select By Search Query: | |
| By Search Query | Enter a search query to return specific access. |
Underneath these fields, you select the checkbox beside the types of access you want to return. The options are access profiles, roles, and entitlements.
This step will time out if it takes longer than 1 minute to complete.
This action returns a JSON blob when it completes successfully. The sample JSON blob below includes an entitlement, a role, and an access profile. This is the format that the Manage Access step expects.
Open "Get Access" JSON Sample
Get Accounts
Gets one or more source accounts. This step returns a maximum of 250 accounts and is often used in conjunction with Manage Accounts.
| Field | Description |
|---|---|
| Account Selection Method | Select By Identity to choose an identity and return its accounts. Select By Account Data to filter the accounts returned by details about the accounts. |
| If you selected By Identity: | |
| Accounts By Identity | Select an identity using the dropdown list or use Choose Variable to select the technical ID of an identity from the input. All accounts of the selected identity will be returned. |
| If you selected By Account Data: | |
| Account Details | Select an option to return accounts using details related to the account. options include the Technical ID of the account, the technical Identity ID, the Account Name, the native Account ID, the Source ID, and the Uncorrelated status. |
| Operator | How to compare the value of the selected account detail with the Value field below. At this time, the valid option is Equals. |
| Value | Enter a value to compare to the selected account detail you selected and return accounts that match your requirements. |
This step will time out if it takes longer than 1 minute to complete.
This action returns a JSON blob when it completes successfully.
Open "Get Accounts" JSON Sample
HTTP Request
Makes an HTTP request to an external system. If the external system provides a response, it must be in JSON format.
This step will time out if it takes longer than 90 seconds to complete.
| Field | Description |
|---|---|
| Authentication Type | The type of authentication to use. The options for this field are Basic Authentication, Custom Authorization, and OAuth 2.0 - Client Credentials Grant. |
| If you selected Basic Authentication: | |
| User Name | The user name authorized to access the HTTP service. |
| Password | The password corresponding to the user name. |
| Method | The HTTP method to use. The options are POST, GET, PUT, PATCH, and DELETE. |
| Request URL | The URL of the service endpoint. |
| Query Parameters | The parameters appended to the URL. |
| Request Headers | The headers required by the service endpoint. |
| If you selected Custom Authorization: | |
| Header Name | The name or key required by the HTTP service. |
| Header Value | The value required by the HTTP service. |
| Request URL | The URL of the service endpoint. |
| Query Parameters | The parameters appended to the URL. |
| Method | The HTTP method to use. The options are POST, GET, PUT, PATCH, and DELETE. |
| If you selected OAuth 2.0 - Client Credentials Grant: | |
| Token URL | The URL to retrieve the token. |
| Client ID | The client ID, similar to a user name. |
| Client Secret | The client secret, similar to a password. |
| Credential Location | Whether to include the credentials in the header or the body of the request. This is determined by the requirements of the external system being called. If the credentials are in the incorrect part of the request, the workflow might return a 401 error. |
| Scope | The scope parameters required by some third-party systems. To include multiple scope values in a single parameter, separate values with spaces. To include multiple scope values in multiple parameters, separate values with new lines. |
| Request URL | The URL of the service endpoint. |
| Query Parameters | The parameters appended to the URL. |
| Request Headers | The headers required by the service endpoint. |
| If you selected POST, PUT, or PATCH in the Method field of any of the above options: | |
| Request Content Type | The type of content to include in the request body. The options are CSV, Form, JSON, and plain text. |
| Request Body | The body of your request in the format you specified. |
Note
The HTTP Request action does not support endpoints requiring the QUIC protocol.
Identity Actions
Actions related to identities, their activity, and their attributes.
Get Identities
Gets data about a list of one or more identities, including all their default and custom attributes.
You can choose how to find the identities you want to manage. Additional fields will be displayed based on your choice.
In the Find Identities By field, choose an option. Additional fields appear when you select how to return identities.
| Field | Description |
|---|---|
| Search Query | Enter a search query to return one or more identities. |
| Saved Search | Choose a saved search from the dropdown list. |
| Tag | Find identities that have a specific tag. |
| Managers | Select one or more managers. All of the identities that report to one of those managers will be returned. |
| Direct Reports | Select one or more identities. All of the managers of those identities will be returned. |
This step will time out if it takes longer than 1 minute to complete.
This action returns a JSON blob when it completes successfully.
Open "Get Identities" JSON Sample
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 | |
Get Identity
Gets data about a single identity, including all of their default and custom attributes.
| Field | Required? | Description |
|---|---|---|
| Identity ID | Yes | The technical ID of the identity to get. |
This step will time out if it takes longer than 1 minute to complete.
This action returns a JSON blob when it completes successfully.
Open "Get Identity" JSON Sample
Get Identity History
Gets the audit events related to access changes for a specific identity.
| Field | Description |
|---|---|
| Identity | Select an identity, or enter a JSONPath expression to select the technical ID of an identity. Audit events from the selected identity will be returned. |
| From | Optionally choose a date to return events only on or after that date. |
| Event Type | Optionally enter the type of event to return. These are: AccessItemAssociated, AccessItemRemoved, AttributesChanged, AccessRequested, IdentityCertified, and AccountStatusChanged. |
Open "Get Identity History" JSON Sample
This step will time out if it takes longer than 1 minute to complete.
Manage Access
Adds or removes access items on one or more identities.
Note
Revoke requests for individual entitlements are limited to one entitlement per access request.
This step's input must be a list of objects in the same format as is provided by the Get Access step. This includes a JSON body similar to this example:
{
"accessItems":[
{
"id":"technicalID",
"name":"accessItemName",
"type":"accessItemType"
}
]
}
When this step is used, the workflow submits a request to the external system to process the access change.
- If the access item requires an approval process before it's granted or removed, that process begins and the workflow continues as soon as the request has been submitted, without waiting for the request to be granted or denied.
- If you need to wait for the access request to be decided before the workflow continues, end this workflow and create a new one using the Access Request Decision trigger.
- If the access item doesn't require approval, the workflow does not wait for confirmation from the source that the access was updated before continuing.
- If you need to make sure the access is updated on the identity's source account before the workflow continues, add a Wait step after the Manage Access step.
| Field | Description |
|---|---|
| Request Type | Choose whether to add or remove access. |
| Identities | Select one or more identities from the dropdown list that should receive this access or have it removed. You can also use Choose Variable to choose the technical IDs of the identities using JSONPath. |
| Access to Manage | Select the access items to manage. The input to this step must be a list of access objects in the format listed above. The Get Access step provides this input in the correct format. |
| Comments | Provide a comment about why this access is changing. |
| If you selected Add Access under Request Type, the Select Duration field will appear. Optionally enter the length of time that the user should have the access and select a unit. |
This step will time out if it takes longer than 30 minutes to receive a response from the external system.
A test for this action can be simulated. Refer to the Simulating a Workflow Test documentation for more information.
This action returns a JSON blob when it completes successfully.
Open "Manage Access" JSON Sample
Manage Accounts
Deletes, disables, enables, or unlocks a source account.
| Field | Description |
|---|---|
| Account Action | Select an action to take on the selected accounts. Valid options are Delete, Disable, Enable, or Unlock. |
| Select Accounts | Choose one or more accounts to act on. If selecting the IDs of accounts from the Get Accounts step, use the JSONPath $.getAccounts.accounts[*].id. The [*].id must be added to the variable chosen by the Variable Selector. |
Note
The Delete option is only applicable to accounts on flat file sources.
This step will time out if it takes longer than 1 hour to complete.
A test for this action can be simulated. Refer to the Simulating a Workflow Test documentation for more information.
This action returns a JSON blob when it completes successfully. The object in this JSON body is the ID of the account that was updated.
Manage ServiceNow Ticket
Creates a new ServiceNow ticket, or returns or updates the status of an existing ticket.
This step will time out if it takes longer than 300 seconds to complete.
| Field | Description |
|---|---|
| Authentication Type | Select the type of authentication. |
| Request URL | Enter the ServiceNow endpoint's URL. |
| Action | Select the action you want to perform. The options are Create new ticket, Update ticket status, and Get ticket status. |
| If you selected OAuth 2.0 - Client Credentials Grant under Authentication Type: | |
| Token URL | Enter the URL of the token. |
| Client ID | Enter your client ID. |
| Client Secret | Enter your client secret. |
| ServiceNow Username | Enter the username authorized to access ServiceNow. |
| ServiceNow Password | Enter the password corresponding the the username. |
| Request URL | Enter the ServiceNow endpoint's URL. |
| If you selected Basic Authentication under Authentication Type: | |
| ServiceNow Username | Enter the username authorized to access ServiceNow. |
| ServiceNow Password | Enter the password corresponding the the username. |
| Request URL | Enter the ServiceNow endpoint's URL. |
| If you selected Create new ticket under Action: | |
| Caller | Enter the ServiceNow username of the caller. |
| Watchlist | Enter the ServiceNow usernames of users you want to receive notifications about this ticket. |
| Short Description | Enter a short description about the ticket. |
| Description | Add additional details about the ticket. |
| Category | Enter a category for the ticket. |
| Sub-Category | Enter a sub-category for the ticket. |
| Urgency | Select the urgency of the ticket. |
| Additional Fields | Enter any additional fields required by ServiceNow and their values in key:value pairs, separated by line breaks. |
| If you selected Update ticket status under Action: | |
| Ticket ID | Enter the ID of the ticket you want to update. |
| Status | Select the ticket's new status. |
| If you selected Get ticket status under Action: | |
| Ticket ID | Enter the ID of the ticket you want to get the status of. |
This action returns a JSON blob when it completes successfully.
Open "ServiceNow" JSON Sample
Send Email
Sends an email to the specified identity.
| Field | Required? | Description |
|---|---|---|
| Recipient Addresses | Yes | The email address that should receive this email. Select or enter up to 10 email addresses. |
| Reply-To Address | No | The email address to use as the reply-to address. If left blank, this uses the "From" address on the Branding page. |
| From Address | No | The email address to use as the sender address. If left blank, this uses the "From" address on the Branding page. |
| Subject | No | The subject line of the email. |
| Body | No | The body of the email. |
| Templating Context | No | The map of variables to be passed to the email template. Use the format {"variable1.$":"$.JSONPathVariableSelection1", "variable2.$":"$.JSONPathVariableSelection2"}. The variable in each map can be used to represent the value selected by the JSONPath in the second part of each map and entered in the email template using the format ${variable}. |
Templating Context Example
The following example uses JSONPath to select the username of an identity in the Get Identity step and assign it the variable "name":
{"name.$":"$.getIdentity.name"}
To use the username variable within the body of the email, the following can be used in the Body field:
"Your username is ${name}."
In the final rendered email, the identity's username will be displayed in place of the variable.
This step will time out if it takes longer than 1 minute to complete.
Send Slack Message
Sends a direct Slack message to the specified user. If the user is not found in Slack, an email will be sent instead.
| Field | Required? | Description |
|---|---|---|
| Recipient | Yes | The IdentityNow username of the user that should receive the Slack message. |
| Message | Yes | The body of the Slack message. |
Note
The Slack integration with SailPoint is required. Refer to Getting Started with Slack for SailPoint for more information.
Wait
Pauses the workflow's execution for a set period of time.
| Field | Required? | Description |
|---|---|---|
| Type | Yes | Choose Wait For to configure the step to pause for a time duration or Wait Until to wait until a specific date and time. |
| If you selected Wait For: | ||
| Wait Duration | Yes | The length of time to pause the workflow. Choose a number and select the time unit. Choose a time period between 60 seconds and 30 days. |
| If you selected Wait Until: | ||
| Future Date | Yes | The date when this workflow should resume, using the local time zone of the admin creating the workflow. This can be pulled from a variable in the workflow. Choose a date no more than 180 days in the future. |
| Time | Yes | The time on the specified date when this workflow should resume. This field only appears when the Type is Wait Until. |
This step will time out if it takes longer than 182 days to complete.
To learn more about the process of building a workflow, either in the visual builder or using JSON, visit Creating and Managing Workflows.
Review our lists of triggers and operators that you can use to start and manage your workflow.