Workflow Actions
Each workflow action receives input from the data flow and performs an action in your system. The values you enter in the fields for each action help determine what is done and how. The result of each action, in JSON format, is added to the workflow's data flow.
The value for each field must be either a variable from a previous step or a static, fixed value. Select which format you'll be using for each field before entering the value and saving your workflow.
Every action has a name and an optional description field. The name of the action must be unique within the workflow so it can be used in Next steps and conditional logic. The workflow builder automatically generates the action name based on the action type.
Each action is allowed a period of time before it times out. If an action times out, the workflow fails.
Below, you can find a list of all actions currently available for workflows, as well as the unique fields and timeout period for each action. If a particular action adds any JSON to the workflow, a sample of that JSON is available.
Access Request Actions
Actions related to creating and managing access requests.
Approve Access Request
Approves an access request with the selected ID and leaves a comment.
| Field | Required? | Description |
|---|---|---|
| Access Request ID | Yes | The ID of the access request to approve. |
| Comment | Yes | Provide a comment to leave on the access request's approval. |
If you add this action to your workflow and you don't have the Access Request service, your workflow will fail. This step will time out if it takes longer than 90 seconds to complete.
Create Request for Access
Submits an access request for the selected list of users.
The Create Request for Access step has been replaced by the Manage Access step. To create an access request in a workflow, use the Manage Access step and select Add Access.
This step will time out if it takes longer than 90 seconds to complete.
Deny Access Request
Denies an access request by ID and leaves a comment.
| Field | Required? | Description |
|---|---|---|
| Access Request ID | Yes | The ID of the access request to deny. |
| Comment | Yes | Provide a comment to leave on the access request's denial. |
If you add this action to your workflow and you don't have the Access Request service, your workflow will fail. This step will time out if it takes longer than 90 seconds to complete.
Get Access Request Recommendations
Gets a list of up to 250 recommended access requests for the specified user.
| Field | Required? | Description |
|---|---|---|
| Get Access Request Recommendations | Yes | The ID of the identity for whom to retrieve access request recommendations. |
If you add this action to your workflow and you don't have the Access Request and Recommendations AI services, your workflow will fail.
This step will time out if it takes longer than 90 seconds to complete.
This action returns a JSON blob when it completes successfully.
Open "Get Access Request Recommendation" JSON Sample
Get Pending Access Requests
Gets up to 250 pending access requests.
| Field | Description |
|---|---|
| Reviewer | Select a reviewer. All access requests that list that identity as one of their reviewers will be returned. |
| Filter Results | Optionally apply additional filters. Use the fields in Pending Access Request Approvals List and the syntax in Standard Collection Parameters. |
This step will time out if it takes longer than 1 minute to complete.
Open "Get Pending Access Requests" JSON Sample
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 | |
Request Access Removal
Requests the removal of one or more access items from a list of identities.
The Request Access Removal step has been replaced by the Manage Access step. To request access removal in a workflow, use the Manage Access step and select Remove Access.
This step will time out if it takes longer than 90 seconds to complete.
Certification Actions
Actions related to the creation or management of certification campaigns.
Activate Certification Campaign
Activates the certification campaign with the selected ID.
| Field | Required? | Description |
|---|---|---|
| Campaign ID | Yes | The ID of the campaign to activate. |
If you add this action to your workflow and you don't have the Certifications service, your workflow will fail. This step will time out if it takes longer than 2 hours to complete.
Create Certification Campaign
Creates a new certification campaign. The campaign must be activated separately.
| Field | Description |
|---|---|
| Campaign Name | The name of the campaign. |
| Campaign Description | A description of the campaign. |
| Reviewer Type | The type of reviewer to use for this campaign. If you select Manager, a certification is created for all identities in your site and each identity's manager will review their access. You can also choose Source Owner to certify all access for one or more sources. If you choose Individual or Governance Group, you can select a specific identity or group to review the access of one or more identities or access items. |
| Campaign Duration | The length of time the certification campaign should run. Choose a time period and then a unit. |
| AI Recommendations | Choose whether or not to include recommendations from the Access Recommendations service in this campaign. If you don't have this service, this field is disabled. |
| Email Notifications | Choose whether or not to send reminder emails associated with the campaign. |
| Start Campaign when Created | Choose whether or not to activate the campaign once it's created. If you disable this option, you must activate the campaign separately. |
| Undecided Access Items | Choose whether to maintain or automatically revoke undecided access items when the campaign ends. |
| If you selected Source Owner under Reviewer Type: | |
| Source IDs | Enter the IDs of all sources to include in the campaign. A single ID can be represented as a string. If including multiple IDs, enclose them in brackets and separate them with spaces. For example, [ID1 ID2 ID3] |
| If you selected Individual under Reviewer Type: | |
| Reviewer Identity | Select the identity that should be responsible for reviewing this certification. |
| Certification Type | Choose whether to use an identity certification to certify the access of one or more identities, or to use an access certification to certify whether each identity that has specific access items should have that access. |
| If you selected Access Certification in Certification Type under Individual: | |
| Access Type | Choose the type of access to be included in this campaign. |
| Access Filter | Choose whether to certify all access of the selected type or only specific access items. If you choose specific access items, use the Access Filter field to choose the IDs of access. You can also enter the ID values manually in a JSON array using this format: [“id1”, “id2”, “id3”] |
| If you selected Identity Certification in Certification Type under Individual: | |
| Identities to Certify | Select the identities to certify in the campaign. |
| If you selected Governance Group under Reviewer Type: | |
| Governance Group | Select a governance group to review this campaign. |
| Certification Type | Choose whether to use an identity certification to certify the access of one or more identities, or to use an access certification to certify whether each identity that has specific access items should have that access. |
| If you selected Access Certification in Certification Type under Governance Group: | |
| Access Type | Choose the type of access to be included in this campaign. |
| Access Filter | Choose whether to certify all access of the selected type or only specific access items. If you choose specific access items, use the Access Filter field to choose the IDs of access. You can also enter the ID values manually in a JSON array using this format: [“id1”, “id2”, “id3”] |
| If you selected Identity Certification in Certification Type under Governance Group: | |
| Identities to Certify | Select the identities to certify in the campaign. |
If you add this action to your workflow and you don't have the Certifications service, your workflow will fail. This step will time out if it takes longer than 36 hours to complete.
This action returns a JSON blob when it completes successfully.
Open "Create Certification Campaign" JSON Sample
Get Certification Campaign
Gets data about the specified certification campaign.
| Field | Required? | Description |
|---|---|---|
| Campaign ID | Yes | The ID of the campaign to get. |
If you add this action to your workflow and you don't have the Certifications service, your workflow will fail. This step will time out if it takes longer than 1 minute to complete.
This action returns a JSON blob when it completes successfully.
Open "Get Certification Campaign" JSON Sample
Form
The Form action assigns the selected form to the specified user with a set deadline. The user receives an email notification with a link to fill out the form. The workflow is paused until the user completes and submits the form.
Forms that are used by workflows can be configured to use data values from the workflow by defining required form inputs. Map workflow variables to these form inputs and the variables can use conditions to pre-populate fields as the default form values. When defined, those inputs become required fields in the workflow form action configuration.
| Field | Description |
|---|---|
| Description | Enter a description. |
| Form | Search or select a form from the dropdown list. You can search by name or description. |
| Form Inputs | If the selected form has any form inputs, they are displayed here as required fields. Map workflow variables to each of these form inputs to be used as values in the form. |
| Array Type Form Input | If the selected form has any form inputs with the type “array”, they are displayed here as required fields with additional subfields for each. Map workflow variables to each of these form inputs to be used as values in the form. |
| Array Value | Select the variable for the values used as form data sent back to the workflow from the selection made in the form Select field. |
| Array Label | Select the variable for the main values displayed as options in the form Select field dropdown. |
| Array Sublabel | Optionally, select the variable for the secondary values displayed under the label in the form Select field dropdown. |
| Recipient | Select the Identity Security Cloud user to fill out the form. |
| Notification Subject | Enter a subject line for the email notification. |
| Notification Body | Enter the text of the email notification. The link to the form is automatically added to the end of the notification body. |
| Form Submission Deadline | Select a deadline for how long the recipient has to complete the form. The maximum allowed time is 30 days or 720 hours. |
| Reminder Body | Enter the text of the reminder email notification. The link to the form is automatically added to the end of the notification body. |
| Form Submission Reminder | Select when to send a reminder notification if the form has not been submitted, up to 29 days or 696 hours. |
Get Access
Gets a set of access items held by a selected identity or found through a search query. This step returns a maximum of 250 access items and is often used in conjunction with the Manage Access step.
| Field | Description |
|---|---|
| Access Selection Method | Select how to determine the access that will be returned. Options are By Identity and By Search Query. |
| If you select By Identity: | |
| By Identity | Select an identity from the dropdown list, or use Choose Variable to select an identity from the input. |
| If you select By Search Query: | |
| By Search Query | Enter a search query to return specific access. |
By Search Query Example
The following examples use JSONPath to get the access profile that was selected in a preceeding Form step.
Where the Maximum Selection field is set to 1:
id: {{$.form.formData.accessProfile}}
Where the Maximum Selection field set to > 1:
id: {{$.form.formData.accessProfile[0].id}}
Underneath these fields, you select the checkbox beside the types of access you want to return. The options are access profiles, roles, and entitlements.
This step will time out if it takes longer than 1 minute to complete.
This action returns a JSON blob when it completes successfully. The sample JSON blob below includes an entitlement, a role, and an access profile. This is the format that the Manage Access step expects.
Open "Get Access" JSON Sample
Get Accounts
Gets one or more source accounts. This step returns a maximum of 250 accounts and is often used in conjunction with Manage Accounts.
| Field | Description |
|---|---|
| Account Selection Method | Select By Identity to choose an identity and return its accounts. Select By Account Data to filter the accounts returned by details about the accounts. |
| If you selected By Identity: | |
| Accounts By Identity | Select an identity using the dropdown list or use Choose Variable to select the technical ID of an identity from the input. All accounts of the selected identity will be returned. |
| If you selected By Account Data: | |
| Account Details | Select an option to return accounts using details related to the account. options include the Technical ID of the account, the technical Identity ID, the Account Name, the native Account ID, the Source ID, and the Uncorrelated status. |
| Operator | How to compare the value of the selected account detail with the Value field below. At this time, the valid option is Equals. |
| Value | Enter a value to compare to the selected account detail you selected and return accounts that match your requirements. |
This step will time out if it takes longer than 1 minute to complete.
This action returns a JSON blob when it completes successfully.
Open "Get Accounts" JSON Sample
HTTP Request
Makes an HTTP request to an external system. If the external system provides a response, it must be in JSON format.
This step will time out if it takes longer than 90 seconds to complete.
| Field | Description |
|---|---|
| Authentication Type | The type of authentication to use. The options for this field are Basic Authentication, Custom Authorization, and OAuth 2.0 - Client Credentials Grant. |
| If you selected Basic Authentication: | |
| User Name | The user name authorized to access the HTTP service. |
| Password | The password corresponding to the user name. |
| Method | The HTTP method to use. The options are POST, GET, PUT, PATCH, and DELETE. |
| Request URL | The URL of the service endpoint. |
| Query Parameters | The parameters appended to the URL. |
| Request Headers | The headers required by the service endpoint. |
| If you selected Custom Authorization: | |
| Header Name | The name or key required by the HTTP service. |
| Header Value | The value required by the HTTP service. |
| Request URL | The URL of the service endpoint. |
| Query Parameters | The parameters appended to the URL. |
| Method | The HTTP method to use. The options are POST, GET, PUT, PATCH, and DELETE. |
| If you selected OAuth 2.0 - Client Credentials Grant: | |
| Token URL | The URL to retrieve the token. |
| Client ID | The client ID, similar to a user name. |
| Client Secret | The client secret, similar to a password. |
| Credential Location | Whether to include the credentials in the header or the body of the request. This is determined by the requirements of the external system being called. If the credentials are in the incorrect part of the request, the workflow might return a 401 error. |
| Scope | The scope parameters required by some third-party systems. To include multiple scope values in a single parameter, separate values with spaces. To include multiple scope values in multiple parameters, separate values with new lines. |
| Request URL | The URL of the service endpoint. |
| Query Parameters | The parameters appended to the URL. |
| Request Headers | The headers required by the service endpoint. |
| If you selected POST, PUT, or PATCH in the Method field of any of the above options: | |
| Request Content Type | The type of content to include in the request body. The options are CSV, Form, JSON, and plain text. |
| Request Body | The body of your request in the format you specified. |
Note
The HTTP Request action does not support endpoints requiring the QUIC protocol.
Identity Actions
Actions related to identities, their activity, and their attributes.
Get Identities
Gets data about a list of one or more identities, including all their default and custom attributes. This step returns a maximum of 250 identities.
You can choose how to find the identities you want to manage. Additional fields will be displayed based on your choice.
In the Find Identities By field, choose an option. Additional fields appear when you select how to return identities.
| Field | Description |
|---|---|
| Search Query | Enter a search query to return one or more identities. |
| Saved Search | Choose a saved search from the dropdown list. |
| Tag | Find identities that have a specific tag. |
| Managers | Select one or more managers. All of the identities that report to one of those managers will be returned. |
| Direct Reports | Select one or more identities. All of the managers of those identities will be returned. |
This step will time out if it takes longer than 1 minute to complete.
This action returns a JSON blob when it completes successfully.
Open "Get Identities" JSON Sample
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 | |
Get Identity
Gets data about a single identity, including all of their default and custom attributes.
| Field | Required? | Description |
|---|---|---|
| Identity ID | Yes | The technical ID of the identity to get. |
This step will time out if it takes longer than 1 minute to complete.
This action returns a JSON blob when it completes successfully.
Open "Get Identity" JSON Sample
Get Identity History
Gets the audit events related to access changes for a specific identity.
| Field | Description |
|---|---|
| Identity | Select an identity, or enter a JSONPath expression to select the technical ID of an identity. Audit events from the selected identity will be returned. |
| From | Optionally choose a date to return events only on or after that date. |
| Event Type | Optionally enter the type of event to return. These are: AccessItemAssociated, AccessItemRemoved, AttributesChanged, AccessRequested, IdentityCertified, and AccountStatusChanged. |
Open "Get Identity History" JSON Sample
This step will time out if it takes longer than 1 minute to complete.
Interactive Process Actions
Actions related to the Interactive Process.
Add interactive forms and messages to display to a user within the Interactive Process.
Interactive Form
Adds a form for a user to fill out during the interactive process.
This action assigns the selected form to users who launch the Interactive Process with a 30 day deadline to complete the interactive form.
Any additional fields that populate in the configuration panel come from the selected form.
Forms that are used by workflows can be configured to use data values from the workflow by defining required form inputs form inputs. Map workflow variables to these form inputs and the variables can use conditions to pre-populate fields as the default form values. When defined, those inputs become required fields in the workflow form action configuration. For more information, refer to the Form Action.
| Field | Description |
|---|---|
| Description | Enter a description. |
| Form | Search or select a form from the dropdown list. You can search by name or description. |
| Title | Enter a title to display with the message during the Interactive Process. |
| Message | Enter a message to display during the Interactive Process with the form. Select the ellipses icon to access the message formatting tools. |
Interactive Message
Displays a message to the user during the interactive process.
| Field | Description |
|---|---|
| Description | Enter a description. |
| Category | Select a category for the Interactive Process block that the message displays in. |
| Title | Enter a title to display with the message during the Interactive Process. |
| Message | Enter a message to display during the Interactive Process. Select the ellipses icon to access the message formatting tools. |
The maximum allowed size for an interactive message body is 400KB.
Privileged Task Automation Actions
Actions related to the Privileged Task Automation process.
Some of the Actions for Privileged Task Automation have commands that make the action act in a specific way. Select the required command and configure the new fields.
Active Directory
Manages Active Directory objects using the LDAPS protocol.
This action provides several command options to choose from, such as listing users and creating a group.
Select the command to run during configuration of the action.
Important
You must have a credential provider and know the secret path expressions. For more information, refer to Credential Provider Secret Path Expressions
| Field | Description |
|---|---|
| Description | View and manage objects in Active Directory. |
| Privilege Cluster | Select a Privilege Gateway cluster. |
| Command | Select a command. |
Active Directory Group Commands
Commands related to managing and creating Active Directory security groups.
Add Group Member
Adds the provided distinguished user to the provided Active Directory distinguished group.
| Field | Description |
|---|---|
| Domain Controller Address | Enter the IP or DNS address of the target domain controller. |
| LDAPS Port | Enter the port to use when connecting to the domain controller. |
| Domain FQDN | Enter the Fully Qualified Domain Name (FQDN) of the target domain. |
| Authentication Username | Enter the secret URL pointing to a username to use when authenticating to the domain controller. |
| Authentication Password | Enter the secret URL pointing to a password to use when authenticating to the domain controller. |
| Distinguished Name | Enter the distinguished name of the group. |
| Member Distinguished Name | Enter the distinguished name of the member to add. |
Open "Add Group Member" Success JSON Sample
Open "Add Group Member" Failure JSON Sample
Create Group
Creates a new Active Directory group.
| Field | Description |
|---|---|
| Domain Controller Address | Enter the IP or DNS address of the target domain controller. |
| LDAPS Port | Enter the port to use when connecting to the domain controller. |
| Domain FQDN | Enter the Fully Qualified Domain Name (FQDN) of the target domain. |
| Authentication Username | Enter the secret URL pointing to a username to use when authenticating to the domain controller. |
| Authentication Password | Enter the secret URL pointing to a password to use when authenticating to the domain controller. |
| SAM Account Name | Enter the SAM account name of the group to create. |
| Name | Enter the name of the group to create. |
| Distinguished Name | Enter the distinguished name of the group to create. |
| Group Type | Select the type of group to create. Defaults to Global Security. |
Open "Create Group" Success JSON Sample
Open "Create Group" Failure JSON Sample
Get Group by Distinguished Name
Retrieves the Active Directory group with the provided Distinguished Name.
| Field | Description |
|---|---|
| Domain Controller Address | Enter the IP or DNS address of the target domain controller. |
| LDAPS Port | Enter the port to use when connecting to the domain controller. |
| Domain FQDN | Enter the Fully Qualified Domain Name (FQDN) of the target domain. |
| Authentication Username | Enter the secret URL pointing to a username to use when authenticating to the domain controller. |
| Authentication Password | Enter the secret URL pointing to a password to use when authenticating to the domain controller. |
| Distinguished Name | Enter the distinguished name of the group to retrieve. |
Open "Get Group by Distinguished Name" Success JSON Sample
Open "Get Group by Distinguished Name" Failure JSON Sample
Get Group by SAM Account Name
Retrieves the Active Directory group with the provided SAM Account Name.
| Field | Description |
|---|---|
| Domain Controller Address | Enter the IP or DNS address of the target domain controller. |
| LDAPS Port | Enter the port to use when connecting to the domain controller. |
| Domain FQDN | Enter the Fully Qualified Domain Name (FQDN) of the target domain. |
| Authentication Username | Enter the secret URL pointing to a username to use when authenticating to the domain controller. |
| Authentication Password | Enter the secret URL pointing to a password to use when authenticating to the domain controller. |
| SAM Account Name | Enter the SAM account name of the group to retrieve. |
Open "Get Group by SAM Account Name" Success JSON Sample
Open "Get Group by SAM Account Name" Failure JSON Sample
List Groups
Retrieves the Active Directory groups with the provided scope.
| Field | Description |
|---|---|
| Domain Controller Address | Enter the IP or DNS address of the target domain controller. |
| LDAPS Port | Enter the port to use when connecting to the domain controller. |
| Domain FQDN | Enter the Fully Qualified Domain Name (FQDN) of the target domain. |
| Authentication Username | Enter the secret URL pointing to a username to use when authenticating to the domain controller. |
| Authentication Password | Enter the secret URL pointing to a password to use when authenticating to the domain controller. |
| Search Base DN | Enter the directory location to start looking for groups. If empty, this defaults to the domain root. |
| Search Scope | Select the depth of the search operation. Defaults to One Level. |
| Limit | The maximum number of results to return. If the limit is set greater than 500, only the first 500 results will be passed to a form. |
Open "List Groups" Success JSON Sample
Open "List Groups" Failure JSON Sample
Remove Group Member
Removes the provided distinguished user from the provided Active Directory distinguished group.
| Field | Description |
|---|---|
| Domain Controller Address | Enter the IP or DNS address of the target domain controller. |
| LDAPS Port | Enter the port to use when connecting to the domain controller. |
| Domain FQDN | Enter the Fully Qualified Domain Name (FQDN) of the target domain. |
| Authentication Username | Enter the secret URL pointing to a username to use when authenticating to the domain controller. |
| Authentication Password | Enter the secret URL pointing to a password to use when authenticating to the domain controller. |
| Distinguished Name | Enter the distinguished name of the group. |
| Member Distinguished Name | Enter the distinguished name of the member to remove. |
Open "Remove Group Member" Success JSON Sample
Open "Remove Group Member" Failure JSON Sample
Search Groups
Retrieves the Active Directory groups with the provided LDAP attribute values within the selected scope and base.
| Field | Description |
|---|---|
| Domain Controller Address | Enter the IP or DNS address of the target domain controller. |
| LDAPS Port | Enter the port to use when connecting to the domain controller. |
| Domain FQDN | Enter the Fully Qualified Domain Name (FQDN) of the target domain. |
| Authentication Username | Enter the secret URL pointing to a username to use when authenticating to the domain controller. |
| Authentication Password | Enter the secret URL pointing to a password to use when authenticating to the domain controller. |
| Search Parameters | Select Add Another to add a new key-value pair entry containing LDAP attributes and values. Refer to the table below for searchable attributes. |
| Search Base DN | Enter the directory location to start looking for groups. If empty, this defaults to the domain root. |
| Search Scope | Select the depth of the search operation. Defaults to One Level. |
| Limit | The maximum number of results to return. If the limit is set greater than 500, only the first 500 results will be passed to a form. |
Searchable key-value pair LDAP attributes:
| Attributes | ||
|---|---|---|
cn |
groupTypeWith the value: |
owner |
company |
info |
sAMAccountName |
description |
location |
sAMAccountType |
displayName |
managedBy |
|
distinguishedName |
name |
|
Open "Search Groups" Success JSON Sample
Open "Search Groups" Failure JSON Sample
Set Group Manager
Sets the manager for the selected Active Directory group.
| Field | Description |
|---|---|
| Domain Controller Address | Enter the IP or DNS address of the target domain controller. |
| LDAPS Port | Enter the port to use when connecting to the domain controller. |
| Domain FQDN | Enter the Fully Qualified Domain Name (FQDN) of the target domain. |
| Authentication Username | Enter the secret URL pointing to a username to use when authenticating to the domain controller. |
| Authentication Password | Enter the secret URL pointing to a password to use when authenticating to the domain controller. |
| Distinguished Name | Enter the distinguished name of the group. |
| Manager Distinguished Name | Enter the distinguished name of the new manager. |
Open "Set Group Manager" Success JSON Sample
Open "Set Group Manager" Failure JSON Sample
Active Directory Organizational Unit Commands
Commands related to retrieving Active Directory organizational units.
Get OU by Name
Retrieves the Active Directory organizational unit with the provided Name.
| Field | Description |
|---|---|
| Domain Controller Address | Enter the IP or DNS address of the target domain controller. |
| LDAPS Port | Enter the port to use when connecting to the domain controller. |
| Domain FQDN | Enter the Fully Qualified Domain Name (FQDN) of the target domain. |
| Authentication Username | Enter the secret URL pointing to a username to use when authenticating to the domain controller. |
| Authentication Password | Enter the secret URL pointing to a password to use when authenticating to the domain controller. |
| Name | Enter the name of the OU to retrieve. |
Open "Get OU by Name" Success JSON Sample
Open "Get OU by Name" Failure JSON Sample
List OUs
Retrieves the Active Directory organizational units with the selected scope.
| Field | Description |
|---|---|
| Domain Controller Address | Enter the IP or DNS address of the target domain controller. |
| LDAPS Port | Enter the port to use when connecting to the domain controller. |
| Domain FQDN | Enter the Fully Qualified Domain Name (FQDN) of the target domain. |
| Authentication Username | Enter the secret URL pointing to a username to use when authenticating to the domain controller. |
| Authentication Password | Enter the secret URL pointing to a password to use when authenticating to the domain controller. |
| Search Base DN | Enter the directory location to start looking for OUs. If empty, this defaults to the domain root. |
| Search Scope | Select the depth of the search operation. Defaults to One Level. |
| Limit | The maximum number of results to return. If the limit is set greater than 500, only the first 500 results will be passed to a form. |
Open "List OUs" Success JSON Sample
Open "List OUs" Failure JSON Sample
Search OUs
Retrieves the Active Directory organizational units with the provided LDAP attribute values within the selected scope and base.
| Field | Description |
|---|---|
| Domain Controller Address | Enter the IP or DNS address of the target domain controller. |
| LDAPS Port | Enter the port to use when connecting to the domain controller. |
| Domain FQDN | Enter the Fully Qualified Domain Name (FQDN) of the target domain. |
| Authentication Username | Enter the secret URL pointing to a username to use when authenticating to the domain controller. |
| Authentication Password | Enter the secret URL pointing to a password to use when authenticating to the domain controller. |
| Search Parameters | Select Add Another to add a new key-value pair entry containing LDAP attributes and values. Refer to the table below for searchable attributes. |
| Search Base DN | Enter the directory location to start looking for OUs. If empty, this defaults to the domain root. |
| Search Scope | Select the depth of the search operation. Defaults to One Level. |
| Limit | The maximum number of results to return. If the limit is set greater than 500, only the first 500 results will be passed to a form. |
Searchable key-value pair LDAP attributes:
| Attributes | ||
|---|---|---|
distinguishedName |
name |
ou |
Open "Search OUs" Success JSON Sample
Open "Search OUs" Failure JSON Sample
Active Directory User Commands
Commands related to retrieving Active Directory user accounts.
Get User by Distinguished Name
Retrieves the Active Directory user with the provided Distinguished Name.
| Field | Description |
|---|---|
| Domain Controller Address | Enter the IP or DNS address of the target domain controller. |
| LDAPS Port | Enter the port to use when connecting to the domain controller. |
| Domain FQDN | Enter the Fully Qualified Domain Name (FQDN) of the target domain. |
| Authentication Username | Enter the secret URL pointing to a username to use when authenticating to the domain controller. |
| Authentication Password | Enter the secret URL pointing to a password to use when authenticating to the domain controller. |
| Distinguished Name | Enter the distinguished name of the user to retrieve. |
Open "Get User by Distinguished Name" Success JSON Sample
Open "Get User by Distinguished Name" Failure JSON Sample
Get User by SAM Account Name
Retrieves the Active Directory user account with the provided SAM Account Name.
| Field | Description |
|---|---|
| Domain Controller Address | Enter the IP or DNS address of the target domain controller. |
| LDAPS Port | Enter the port to use when connecting to the domain controller. |
| Domain FQDN | Enter the Fully Qualified Domain Name (FQDN) of the target domain. |
| Authentication Username | Enter the secret URL pointing to a username to use when authenticating to the domain controller. |
| Authentication Password | Enter the secret URL pointing to a password to use when authenticating to the domain controller. |
| SAM Account Name | Enter the SAM account name of the user to retrieve. |
Open "Get User by SAM Account Name" Success JSON Sample
Open "Get User by SAM Account Name" Failure JSON Sample
List Users
Retrieves the Active Directory users with the provided scope.
| Field | Description |
|---|---|
| Domain Controller Address | Enter the IP or DNS address of the target domain controller. |
| LDAPS Port | Enter the port to use when connecting to the domain controller. |
| Domain FQDN | Enter the Fully Qualified Domain Name (FQDN) of the target domain. |
| Authentication Username | Enter the secret URL pointing to a username to use when authenticating to the domain controller. |
| Authentication Password | Enter the secret URL pointing to a password to use when authenticating to the domain controller. |
| Search Base DN | Enter the directory location to start looking for users. If empty, this defaults to the domain root. |
| Search Scope | Select the depth of the search operation. Defaults to One Level. |
| Limit | The maximum number of results to return. If the limit is set greater than 500, only the first 500 results will be passed to a form. |
Open "List Users" Success JSON Sample
Open "List Users" Failure JSON Sample
Search Users
Retrieves the Active Directory users with the provided LDAP attribute values within the selected scope and base.
| Field | Description |
|---|---|
| Domain Controller Address | Enter the IP or DNS address of the target domain controller. |
| LDAPS Port | Enter the port to use when connecting to the domain controller. |
| Domain FQDN | Enter the Fully Qualified Domain Name (FQDN) of the target domain. |
| Authentication Username | Enter the secret URL pointing to a username to use when authenticating to the domain controller. |
| Authentication Password | Enter the secret URL pointing to a password to use when authenticating to the domain controller. |
| Search Parameters | Select Add Another to add a new key-value pair entry containing LDAP attributes and values. Refer to the table below for searchable attributes. |
| Search Base DN | Enter the directory location to start looking for users. If empty, this defaults to the domain root. |
| Search Scope | Select the depth of the search operation. Defaults to One Level. |
| Limit | The maximum number of results to return. If the limit is set greater than 500, only the first 500 results will be passed to a form. |
Searchable key-value pair LDAP attributes:
| Attributes | ||
|---|---|---|
cn |
givenName |
owner |
comment |
info |
physicalDeliveryOfficeName |
company |
l |
postalCode |
department |
location |
sAMAccountName |
description |
mail |
sAMAccountType |
displayName |
manager |
sn |
distinguishedName |
mobile |
userPrincipalName |
division |
name |
|
Open "Search Users" Success JSON Sample
Open "Search Users" Failure JSON Sample
Unlock User
Unlocks the user with the provided Distinguished Name.
| Field | Description |
|---|---|
| Domain Controller Address | Enter the IP or DNS address of the target domain controller. |
| LDAPS Port | Enter the port to use when connecting to the domain controller. |
| Domain FQDN | Enter the Fully Qualified Domain Name (FQDN) of the target domain. |
| Authentication Username | Enter the secret URL pointing to a username to use when authenticating to the domain controller. |
| Authentication Password | Enter the secret URL pointing to a password to use when authenticating to the domain controller. |
| Distinguished Name | Enter the distinguished name of the user to unlock. |
Open "Unlock Users" Success JSON Sample
Open "Unlock Users" Failure JSON Sample
Windows Server
Manages Active Directory objects using the WinRM protocol.
This action provides several command options to choose from, such as listing services and enabling firewall rules.
Select the command to run during configuration of the action.
Important
You must have a credential provider and know the secret path expressions. For more information, refer to Credential Provider Secret Path Expressions
| Field | Description |
|---|---|
| Description | View and modify services and DNS records on a Windows Server. |
| Privilege Cluster | Select a Privilege Gateway cluster. |
| Command | Select a command. |
Windows Server Firewall Commands
Commands related to managing Windows Server Firewall rules.
Disable Firewall Rule
Disables the Windows Server Firewall rule for the provided ID.
| Field | Description |
|---|---|
| Server Address | Enter the IP or DNS address of the target windows server. |
| Authentication Username | Enter the secret URL pointing to a username to use when authenticating to the windows server. |
| Authentication Password | Enter the secret URL pointing to a password to use when authenticating to the windows server. |
| Rule ID | Enter the ID of the rule to disable. |
| Use SSL | Select whether to use SSL when connecting to the windows server. |
| Verify Server Certificate | Select whether to verify the target server’s certificate. |
Open "Disable Firewall Rule" Success JSON Sample
Open "Disable Firewall Rule" Failure JSON Sample
Enable Firewall Rule
Enables the Windows Server Firewall rule for the provided ID.
| Field | Description |
|---|---|
| Server Address | Enter the IP or DNS address of the target windows server. |
| Authentication Username | Enter the secret URL pointing to a username to use when authenticating to the windows server. |
| Authentication Password | Enter the secret URL pointing to a password to use when authenticating to the windows server. |
| Rule ID | Enter the ID of the rule to enable. |
| Use SSL | Select whether to use SSL when connecting to the windows server. |
| Verify Server Certificate | Select whether to verify the target server’s certificate. |
Open "Enable Firewall Rule" Success JSON Sample
Open "Enable Firewall Rule" Failure JSON Sample
Get Firewall Rule
Retrieves the Windows Server Firewall rule for the provided ID.
| Field | Description |
|---|---|
| Server Address | Enter the IP or DNS address of the target windows server. |
| Authentication Username | Enter the secret URL pointing to a username to use when authenticating to the windows server. |
| Authentication Password | Enter the secret URL pointing to a password to use when authenticating to the windows server. |
| Rule ID | Enter the ID of the rule to retrieve. |
| Use SSL | Select whether to use SSL when connecting to the windows server. |
| Verify Server Certificate | Select whether to verify the target server’s certificate. |
Open "Get Firewall Rule" Success JSON Sample
Open "Get Firewall Rule" Failure JSON Sample
List Inbound Firewall Rules
Retrieves the Windows Server Firewall rules for the provided state.
| Field | Description |
|---|---|
| Server Address | Enter the IP or DNS address of the target windows server. |
| Authentication Username | Enter the secret URL pointing to a username to use when authenticating to the windows server. |
| Authentication Password | Enter the secret URL pointing to a password to use when authenticating to the windows server. |
| Firewall Rule State | Select whether to retrieve enabled, disabled, or all rules. |
| Use SSL | Select whether to use SSL when connecting to the windows server. |
| Verify Server Certificate | Select whether to verify the target server’s certificate. |
Open "List Inbound Firewall Rules" Success JSON Sample
Open "List Inbound Firewall Rules" Failure JSON Sample
Windows Server Service Commands
Commands related to managing services on a Windows Server.
Get Service by Name
Retrieves the Windows Server service with the provided name.
| Field | Description |
|---|---|
| Server Address | Enter the IP or DNS address of the target windows server. |
| Authentication Username | Enter the secret URL pointing to a username to use when authenticating to the windows server. |
| Authentication Password | Enter the secret URL pointing to a password to use when authenticating to the windows server. |
| Service Name | Enter the name of the service to retrieve. |
| Use SSL | Select whether to use SSL when connecting to the windows server. |
| Verify Server Certificate | Select whether to verify the target server’s certificate. |
Open "Get Service by Name" Success JSON Sample
Open "Get Service by Name" Failure JSON Sample
List Services
Retrieves the services for the provided Windows Server.
| Field | Description |
|---|---|
| Server Address | Enter the IP or DNS address of the target windows server. |
| Authentication Username | Enter the secret URL pointing to a username to use when authenticating to the windows server. |
| Authentication Password | Enter the secret URL pointing to a password to use when authenticating to the windows server. |
| Use SSL | Select whether to use SSL when connecting to the windows server. |
| Verify Server Certificate | Select whether to verify the target server’s certificate. |
Open "List Services" Success JSON Sample
Open "List Services" Failure JSON Sample
Update Service State
Updates the Windows Server state with the provided service state.
| Field | Description |
|---|---|
| Server Address | Enter the IP or DNS address of the target windows server. |
| Authentication Username | Enter the secret URL pointing to a username to use when authenticating to the windows server. |
| Authentication Password | Enter the secret URL pointing to a password to use when authenticating to the windows server. |
| Service Name | Enter the name of the service to update. |
| Service State Action | Select whether to stop, start, or restart the service. |
| Use SSL | Select whether to use SSL when connecting to the windows server. |
| Verify Server Certificate | Select whether to verify the target server’s certificate. |
Open "Update Service State" Success JSON Sample
Open "Update Service State" Failure JSON Sample
Manage Access
Adds or removes access items on one or more identities.
Note
Revoke requests for individual entitlements are limited to one entitlement per access request.
This step's input must be a list of objects in the same format as is provided by the Get Access step. This includes a JSON body similar to this example:
{
"accessItems":[
{
"id":"technicalID",
"name":"accessItemName",
"type":"accessItemType"
}
]
}
When this step is used, the workflow submits a request to the external system to process the access change.
- If the access item requires an approval process before it's granted or removed, that process begins and the workflow continues as soon as the request has been submitted, without waiting for the request to be granted or denied.
- If you need to wait for the access request to be decided before the workflow continues, end this workflow and create a new one using the Access Request Decision trigger.
- If the access item doesn't require approval, the workflow does not wait for confirmation from the source that the access was updated before continuing.
- If you need to make sure the access is updated on the identity's source account before the workflow continues, add a Wait step after the Manage Access step.
Important
A successful outcome for the Manage Access action does not guarantee that access requests are granted. Manage Access action will output 2 attributes, successfulAccessRequests and failedAccessRequests. Workflows that result in a failedAccessRequests attribute will NOT fail a workflow execution. The workflow will still be marked successful in workflow execution log reports.
| Field | Description |
|---|---|
| Request Type | Choose whether to add or remove access. |
| Identities | Select one or more identities from the dropdown list that should receive this access or have it removed. You can also use Choose Variable to choose the technical IDs of the identities using JSONPath. |
| Access to Manage | Select the access items to manage. The input to this step must be a list of access objects in the format listed above. The Get Access step provides this input in the correct format. |
| Comments | Provide a comment about why this access is changing. |
| If you selected Add Access under Request Type, the Select Duration field will appear. Optionally enter the length of time that the user should have the access and select a unit. |
This step will time out if it takes longer than 30 minutes to receive a response from the external system.
This action returns a JSON blob when it completes successfully.
Open "Manage Access" JSON Sample
Manage Accounts
Deletes, disables, enables, or unlocks a source account.
| Field | Description |
|---|---|
| Account Action | Select an action to take on the selected accounts. Valid options are Delete, Disable, Enable, or Unlock. |
| Select Accounts | Choose one or more accounts to act on. If selecting the IDs of accounts from the Get Accounts step, use the JSONPath $.getAccounts.accounts[*].id. The [*].id must be added to the variable chosen by the Variable Selector. |
Note
The Delete option is only applicable to accounts on flat file sources.
This step will time out if it takes longer than 1 hour to complete.
This action returns a JSON blob when it completes successfully. The object in this JSON body is the ID of the account that was updated.
Manage ServiceNow Ticket
Creates a new ServiceNow ticket, or returns or updates the status of an existing ticket.
This step will time out if it takes longer than 300 seconds to complete.
| Field | Description |
|---|---|
| Authentication Type | Select the type of authentication. |
| Request URL | Enter the ServiceNow endpoint's URL. |
| Action | Select the action you want to perform. The options are Create new ticket, Update ticket status, and Get ticket status. |
| If you selected OAuth 2.0 - Client Credentials Grant under Authentication Type: | |
| Token URL | Enter the URL of the token. |
| Client ID | Enter your client ID. |
| Client Secret | Enter your client secret. |
| ServiceNow Username | Enter the username authorized to access ServiceNow. |
| ServiceNow Password | Enter the password corresponding the the username. |
| Request URL | Enter the ServiceNow endpoint's URL. |
| If you selected Basic Authentication under Authentication Type: | |
| ServiceNow Username | Enter the username authorized to access ServiceNow. |
| ServiceNow Password | Enter the password corresponding the the username. |
| Request URL | Enter the ServiceNow endpoint's URL. |
| If you selected Create new ticket under Action: | |
| Caller | Enter the ServiceNow username of the caller. |
| Watchlist | Enter the ServiceNow usernames of users you want to receive notifications about this ticket. |
| Short Description | Enter a short description about the ticket. |
| Description | Add additional details about the ticket. |
| Category | Enter a category for the ticket. |
| Sub-Category | Enter a sub-category for the ticket. |
| Urgency | Select the urgency of the ticket. |
| Additional Fields | Enter any additional fields required by ServiceNow and their values in key:value pairs, separated by line breaks. |
| If you selected Update ticket status under Action: | |
| Ticket ID | Enter the ID of the ticket you want to update. |
| Status | Select the ticket's new status. |
| If you selected Get ticket status under Action: | |
| Ticket ID | Enter the ID of the ticket you want to get the status of. |
This action returns a JSON blob when it completes successfully.
Open "ServiceNow" JSON Sample
Send Email
Sends an email to the specified identity.
| Field | Required? | Description |
|---|---|---|
| Recipient Email Addresses | Yes | The email address that should receive this email. Select or enter up to 10 email addresses. |
| From | No | The email address to use as the sender address. This must be a verified email address. If left blank, this uses the "From" address on the Branding page. |
| Reply-To Address | No | The email address to use as the reply-to address. If left blank, this uses the "From" address on the Branding page. |
| Subject | No | The subject line of the email. |
| Body | No | The body of the email. Select the ellipses icon to access the message formatting tools. |
| Templating Context | No | The map of variables to be passed to the email template. Use the format {"variable1.$":"$.JSONPathVariableSelection1", "variable2.$":"$.JSONPathVariableSelection2"}. The variable in each map can be used to represent the value selected by the JSONPath in the second part of each map and entered in the email template using the format ${variable}. |
Note
Scripting tags can be edited inside the source view of the WYSIWYG editor. To edit them, select the Source Code icon (
) on the WYSIWYG toolbar.
Templating Context Example
Workflows use namespaces to indicate where variables originate. If the origin is from an action or operator, the technical name of the step is used as the first word in the JSON Path expression. If the origin is from a trigger, trigger is used as the first word in the JSON Path expression.
The following example uses JSONPath to select the username of an identity in the Get Identity step and assign it the variable "name":
{"name.$":"$.getIdentity.name"}
The following example uses JSONPath to select the username of an identity in the Form Submitted trigger and assign it the variable "name":
{"name.$":"$.trigger.formData.fieldName"}
For both examples to use the username variable within the body of the email, the following can be used in the Body field:
"Your username is ${name}."
In the final rendered email, the identity's username will be displayed in place of the variable.
This step will time out if it takes longer than 1 minute to complete.
Send Slack Message
Sends a direct Slack message to the specified user. If the user is not found in Slack, an email will be sent instead.
| Field | Required? | Description |
|---|---|---|
| Recipient | Yes | The Identity Security Cloud username of the user that should receive the Slack message. |
| Message | Yes | The body of the Slack message. |
Note
The Slack integration with SailPoint is required. Refer to Getting Started with Slack for SailPoint for more information.
Wait
Pauses the workflow's execution for a set period of time.
| Field | Required? | Description |
|---|---|---|
| Type | Yes | Choose Wait For to configure the step to pause for a time duration or Wait Until to wait until a specific date and time. |
| If you selected Wait For: | ||
| Wait Duration | Yes | The length of time to pause the workflow. Choose a number and select the time unit. Choose a time period between 60 seconds and 30 days. |
| If you selected Wait Until: | ||
| Future Date | Yes | The date when this workflow should resume, using the local time zone of the admin creating the workflow. This can be pulled from a variable in the workflow. Choose a date no more than 180 days in the future. |
| Time | Yes | The time on the specified date when this workflow should resume. This field only appears when the Type is Wait Until. |
This step will time out if it takes longer than 182 days to complete.
To learn more about the process of building a workflow, either in the visual builder or using JSON, visit Creating and Managing Workflows.
Review our lists of triggers and operators that you can use to start and manage your workflow.
Documentation Feedback
Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.