Skip to content

Workflow Steps and Definitions

All workflows are made of several parts:

  • The metadata, where you can define the workflow's name and description.
  • The trigger, which determines the event that causes the workflow to run.
  • The steps, called actions and operators, which define the actions and decisions a workflow makes as it runs.

To better understand how to use these parts to create a workflow, review the following definitions, JSON samples, and, when applicable, the required configuration fields.

Metadata

A workflow's metadata defines basic information about a workflow, such as its name and description.

The metadata about a workflow can be configured either in the UI or using JSON. You can find an example JSON file below, which can be edited to meet your needs.

Open Metadata File JSON Schema

{
  "name": "WORKFLOW NAME",
  "description": "WORKFLOW DESCRIPTION",
  "version": "1.0",
  "definition": {
    "trigger": {},
    "start":"",
    "steps": {}
  }
}
    

Triggers

A trigger is the event that tells the workflow to start. The workflow uses data provided by the input to calculate the results of each action and operator.

Each workflow can have exactly one trigger. The trigger provides the initial input to the workflow.

All available triggers are listed below, along with a sample input if applicable that can be used for testing a workflow.

You can also use the Filter field to limit when triggers fire.


Access Request Decision

An access request was approved or denied.

This trigger only fires if you have the Access Request service.

Open "Access Request Decision" JSON Sample

{
    "accessRequestId":"4b4d982dddff4267ab12f0f1e72b5a6d",
    "requestedBy":{
        "id":"2c91808b6ef1d43e016efba0ce470906",
        "name":"Adam Admin",
        "type":"IDENTITY"
    },
    "requestedFor":{
        "id":"2c91808b6ef1d43e016efba0ce470909",
        "name":"Ed Engineer",
        "type":"IDENTITY"
    },
    "requestedItemsStatus":[
        {
            "approvalInfo":[
                {
                    "approvalComment":" this is an approval comment",
                    "approvalDecision":"APPROVED",
                    "approver":{
                        "id":"2c91808b6ef1d43d016efba0cf470910",
                        "name":"Stephen Austin",
                        "type":"IDENTITY"
                    },
                    "approverName":"Stephen.Austin"
                }
            ],
            "clientMetadata":{
                "applicationName":"My application"
            },
            "comment":"requester comments",
            "description":"Engineering Access",
            "id":"2a91808b6cf1d43e016efba0cf470904",
            "name":"Engineering Access",
            "operation":"Add",
            "type":"ACCESS_PROFILE"
        }
    ]
}
    

Account Aggregation Completed

An aggregation completed.

Open "Account Aggregation Completed" JSON Sample

{
    "source":{
        "id":"4e4d982afddff4267ab12f0f1e72b5e6d",
        "name":"Corporate Active Directory",
        "type":"SOURCE"
    },
    "status":"Success",
    "started":"2020-06-29T22:01:50.474Z",
    "completed":"2020-06-29T22:02:04.090Z",
    "errors":[

    ],
    "warnings":[
        "Account skipped"
    ],
    "stats":{
        "scanned":200,
        "unchanged":190,
        "changed":6,
        "added":4,
        "removed":3
    }
}
    

Accounts Collected for Aggregation

An account aggregation completed, was terminated, or failed.

Open "Accounts Collected for Aggregation" JSON Sample

{
    "source":{
        "id":"4e4d982dbdff4267ab16f0f1e72b5c6d",
        "name":"Corporate Active Directory",
        "type":"SOURCE"
    },
    "status":"Success",
    "started":"2020-06-29T22:01:50.474Z",
    "completed":"2020-06-29T22:02:04.090Z",
    "errors":[
    ],
    "warnings":[
        "Account skipped"
    ],
    "stats":{
        "scanned":200,
        "unchanged":190,
        "changed":6,
        "added":4,
        "removed":3
    }
}
    

Campaign Activated

A certification campaign was activated.

This trigger only fires if you have the Certifications service.

Open "Campaign Activated" JSON Sample

{
    "campaign":{
        "id":"2c91848576f886190176e88cac6a0010",
        "name":"Manager Access Campaign",
        "description":"Audit access for all employees.",
        "created":"2021-02-16T03:04:45.815Z",
        "modified":null,
        "deadline":"2021-03-16T03:04:45.815Z",
        "type":"MANAGER",
        "campaignOwner":{
            "id":"37f081867702e1910177031820c40n27",
            "displayName":"John Snow",
            "email":"john.snow@example.com"
        },
        "status":"ACTIVE"
    }
}
    

Campaign Ended

A certification campaign ended.

This trigger only fires if you have the Certifications service.

Open "Campaign Ended" JSON Sample

{
    "campaign":{
        "id":"2c91808576f846190176f81cac5a0810",
        "name":"Manager Access Campaign",
        "description":"Audit access for all employees.",
        "created":"2021-02-16T03:04:45.815Z",
        "modified":null,
        "deadline":"2021-03-16T03:04:45.815Z",
        "type":"MANAGER",
        "campaignOwner":{
            "id":"37f080867705c1910177031220c40e27",
            "displayName":"John Snow",
            "email":"john.snow@example.com"
        },
        "status":"COMPLETED"
    }
}
    

Campaign Generated

A certification campaign finished generating.

This trigger only fires if you have the Certifications service.

Open "Campaign Generated" JSON Sample

{
    "campaign":{
        "id":"2c91834576f886190176f88efc5a0010",
        "name":"Manager Access Campaign",
        "description":"Audit access for all employees.",
        "created":"2021-02-16T03:04:45.815Z",
        "modified":null,
        "deadline":null,
        "type":"MANAGER",
        "campaignOwner":{
            "id":"37f082867702c1910177031320c60n27",
            "displayName":"John Snow",
            "email":"john.snow@example.com"
        },
        "status":"STAGED"
    }
}
    

Certification Signed Off

A certification reviewer signed off on their certifications.

This trigger only fires if you have the Certifications service.

Open "Certification Signed Off" JSON Sample

{
    "certification":{
        "id":"2c91208574f836190176b88caf0d0167",
        "name":"Manager Access Review for Alice Baker",
        "created":"2020-02-16T03:04:45.815Z",
        "modified":null,
        "campaignRef":{
            "campaignType":"MANAGER",
            "description":"Audit access for all employees.",
            "type":"CAMPAIGN",
            "id":"2c91808576f896190176f38cac5c0010",
            "name":"Manager Access Campaign"
        },
        "completed":true,
        "hasErrors":false,
        "errorMessage":null,
        "decisionsMade":50,
        "decisionsTotal":50,
        "due":"2020-03-16T03:04:45.815Z",
        "signed":"2020-03-04T03:04:45.815Z",
        "reviewer":{
            "name":"Reviewers group",
            "id":"6a80321c-8d11-40bc-a3c8-29e2660b85e8",
            "type":"GOVERNANCE_GROUP",
            "email":null
        },
        "campaignOwner":{
            "id":"37f081867702c1910179031320c40n27",
            "displayName":"John Snow",
            "email":"john.snow@example.com"
        },
        "reassignment":{
            "comment":"Changing reviewer.",
            "from":{
                "id":"8a89c6de77ef762f0177ef7f52f10004",
                "name":"Manger Access Review for Charlie Davis",
                "type":"CERTIFICATION",
                "reviewer":{
                    "id":"2c9180867702c1910177031320c4010c",
                    "name":"Charlie Davis",
                    "type":"IDENTITY",
                    "email":"charlie.davis@example.com"
                }
            }
        },
        "phase":"SIGNED",
        "entitiesCompleted":12,
        "entitiesTotal":12
    }
}
    

External Trigger

A third-party system triggered a workflow based on configurations made on that system and within your SaaS platform.

Because the input provided to the workflow by the external trigger varies depending on the external site and API, it's not possible to use the variable selector in future steps to choose variables from this trigger.

However, you can still select variables using JSONPath for use in future steps by adding the trigger field to your JSONPath expression using the Goessner implementation.

For example, if your external system provides the following input to your workflow when the trigger is fired:


{
    "name":"Sherri",
    "email":"sherri@email.com"
}

You can use the following JSONPath expression to select the value of the name field in a future action:

$.trigger.name

To use an external trigger, you must generate an access token using the information provided in the trigger. You can find an overview of generating an access token below.

Generating an Access Token for an External Trigger

After adding an External Trigger to your workflow:

  1. Select New Access Token.

  2. Copy the Client ID, Client URL, and the Client Secret to a secure location and save them. The Client Secret can't be retrieved once this page is closed.

  3. Use the contents of the text field under Generate OAuth Token to create an OAuth 2.0 token so that your external system can authenticate into your SaaS platform and trigger your workflow.

  4. Use the contents of the text box under Provide Workflow Input to configure your external system to correctly trigger your workflow. Replace the {"sampleJSON":"sampleJSON"} object with the input you want to use in your workflow.

Once you've completed these steps or saved this information in a secure location, you can close the overlay and continue building your workflow.

If you lose the access token for this step and need to generate a new one, you can select this step and choose New Access Token. The previous token will be overwritten.


Identity Attributes Changed

One or more attributes was changed on an identity.

Open "Identity Attributes Changed" JSON Sample

{
    "identity":{
        "id":"ee769173319b41d19ccec6cea52f237b",
        "name":"john.doe",
        "type":"IDENTITY"
    },
    "changes":[
        {
            "attribute":"department",
            "oldValue":"sales",
            "newValue":"marketing"
        },
        {
            "attribute":"manager",
            "oldValue":{
                "id":"ee769173319b41d19ccec6c235423237b",
                "name":"nice.guy",
                "type":"IDENTITY"
            },
            "newValue":{
                "id":"ee769173319b41d19ccec6c235423236c",
                "name":"mean.guy",
                "type":"IDENTITY"
            }
        },
        {
            "attribute":"email",
            "oldValue":"john.doe@hotmail.com",
            "newValue":"john.doe@gmail.com"
        }
    ]
}
    

Identity Created

A new identity was created.

Open "Identity Created" JSON Sample

{
    "identity":{
        "id":"ee769173319b41d19ccec6cea52f237b",
        "name":"john.doe",
        "type":"IDENTITY"
    },
    "attributes":{
        "firstname":"John",
        "lastname":"Doe",
        "email":"john.doe@gmail.com",
        "department":"Sales",
        "displayName":"John Doe",
        "created":"2020-04-27T16:48:33.597Z",
        "employeeNumber":"E009",
        "uid":"E009",
        "inactive":"true",
        "phone":null,
        "identificationNumber":"E009",
        "isManager":false,
        "manager":{
            "id":"ee769173319b41d19ccec6c235423237b",
            "name":"nice.guy",
            "type":"IDENTITY"
        },
        "customAttribute1":"customValue",
        "customAttribute2":"customValue2"
    }
}
    

Identity Deleted

An identity was deleted from IdentityNow. Note that this does not mean that the user no longer has accounts on any sources, only that their accounts do not correlate to an identity.

Open "Identity Deleted" JSON Sample

{
    "identity":{
        "id":"ee769173319b41d19ccec6cea52f237b",
        "name":"john.doe",
        "type":"IDENTITY"
    },
    "attributes":{
        "firstname":"John",
        "lastname":"Doe",
        "email":"john.doe@gmail.com",
        "department":"Sales",
        "displayName":"John Doe",
        "created":"2020-04-27T16:48:33.597Z",
        "employeeNumber":"E009",
        "uid":"E009",
        "inactive":"true",
        "phone":null,
        "identificationNumber":"E009",
        "isManager":false,
        "manager":{
            "id":"ee769173319b41d19ccec6c235423237b",
            "name":"nice.guy",
            "type":"IDENTITY"
        },
        "customAttribute1":"customValue",
        "customAttribute2":"customValue2"
    }
}
    

Outlier Detected

An outlier was detected using Data Intelligence.

Open "Outlier Detected" JSON Sample

{
    "score":0.9601614,
    "_meta":{
        "triggerType":"FIRE_AND_FORGET",
        "subscriptionId":"e5fa2a32-3f33-436d-bac8-af4c53122eed",
        "invocationId":"b246f3c8-e706-4cfa-9254-360fc6de0ef1"
    },
    "outlierType":"LOW_SIMILARITY",
    "identity":{
        "id":"2c9139527c99d847017cd57f4b586e97",
        "displayName":"Haley Cline",
        "type":"IDENTITY"
    }
}
    

Provisioning Completed

A provisioning action completed on a source.

This trigger only fires if you have the Provisioning service.

Open "Provisioning Completed" JSON Sample

{
    "trackingNumber":"4b4d982dddff4267ab12f0f1e72b5a6d",
    "action":"IdentityRefresh",
    "requester":{
        "id":"2c91808b6ef1d43e016efba0ce470906",
        "name":"Adam Admin",
        "type":"IDENTITY"
    },
    "recipient":{
        "id":"2c91808b6ef1d43e016efba0ce470909",
        "name":"Ed Engineer",
        "type":"IDENTITY"
    },
    "errors":[
        "General Error",
        "Connector AD Failed"
    ],
    "warnings":[
        "Notification Skipped due to invalid email"
    ],
    "sources":"Corp AD, Corp LDAP, Corp Salesforce",
    "accountRequests":[
        {
            "source":{
                "id":"4e4d982dddff4267ab12f0f1e72b5a6d",
                "name":"Corporate Active Directory",
                "type":"SOURCE"
            },
            "accountId":"CN=example,ou=sample,ou=test,dc=ex,dc=com",
            "accountOperation":"Modify",
            "provisioningResult":"SUCCESS",
            "provisioningTarget":"Corp AD",
            "ticketId":"72619262",
            "attributeRequests":[
                {
                    "operation":"Add",
                    "attributeName":"memberOf",
                    "attributeValue":"CN=jedi,DC=starwars,DC=com"
                }
            ]
        }
    ]
}
    

Scheduled Search

A scheduled search completed and results are available.

Open "Scheduled Search" JSON Sample

{
    "fileName":"Modified.zip",
    "ownerEmail":"test@sailpoint.com",
    "ownerName":"Cloud Support",
    "query":"modified:[now-7y/d TO now]",
    "searchName":"Modified Activity",
    "searchResults":{
        "Identity":{
            "count":"2",
            "noun":"identities",
            "preview":[
                [
                    "Display Name",
                    "First Name",
                    "Last Name",
                    "Work Email",
                    "Created",
                    "Lifecycle State"
                ],
                [
                    "Carol Shelby",
                    "Carol",
                    "Shelby",
                    "carol.shelby@sailpoint.com",
                    "2019-11-14T15:56:00.862Z",
                    ""
                ],
                [
                    "Jack Roush",
                    "Jack",
                    "Roush",
                    "jack.rousha@sailpoint.com",
                    "2019-11-14T15:56:00.862Z",
                    ""
                ]
            ]
        },
        "Entitlement":{
            "count":"2",
            "noun":"entitlements",
            "preview":[
                [
                    "Display Name",
                    "Name",
                    "Description",
                    "Source ID",
                    "Source Name",
                    "Attribute",
                    "Value",
                    "Privileged",
                    "Tags"
                ],
                [
                    "Administrator",
                    "Administrator",
                    "Full administrative access to IdentityNow",
                    "2c91808a6e236e33016e6a91f61e3b32",
                    "IdentityNow",
                    "assignedGroups",
                    "ORG_ADMIN",
                    "false",
                    ""
                ],
                [
                    "Auditor",
                    "Auditor",
                    "Auditor access to IdentityNow",
                    "2c91808a6e236e33016e6a91f61e3b32",
                    "IdentityNow",
                    "assignedGroups",
                    "AUDITOR",
                    "false",
                    ""
                ]
            ]
        },
        "Account":{
            "count":"3",
            "noun":"accounts",
            "preview":[
                [
                    "Account Name",
                    "Native Account ID",
                    "Source Name",
                    "Identity Name",
                    "Extended Attributes",
                    "Tags"
                ],
                [
                    "Stacy.Warner",
                    "Stacy.Warner",
                    "House Staff",
                    "Stacy.Warner",
                    "mail=stacy@house.com,teletexTerminalIdentifier=teletexTerminalIdentifier,postalCode=78726,carLicense=[carLicense],telexNumber=telexNumber,employeeNumber=681497,postOfficeBox=postOfficeBox,registeredAddress=registeredAddress,pager=pager,msRTCSIP-UserEnabled=false,mailNickname=mailNickname,LyncPinSet=LyncPinSet,physicalDeliveryOfficeName=abc,sAMAccountName=Stacy.Warner,initials=HH,msNPAllowDialin=msNPAllowDialin,givenName=Stacy,homePhone=512-942-7578,objectClass=[objectClass],destinationIndicator=destinationIndicator,postalAddress=postalAddress,internationaliSDNNumber=internationaliSDNNumber,departmentNumber=Legal,objectSid=objectSid,LyncPinLockedOut=LyncPinLockedOut,pwdLastSet=pwdLastSet,msNPCallingStationID=[msNPCallingStationID],msRADIUSFramedIPAddress=msRADIUSFramedIPAddress,preferredLanguage=preferredLanguage,roomNumber=roomNumber,telephoneNumber=512-942-7578,displayName=Stacy Warner,distinguishedName=DN=Stacy Warner,title=title,seeAlso=seeAlso,uid=uid,secretary=secretary,street=street,objectguid=125,memberOf=[Diagnostics],msExchHideFromAddressLists=false,sn=Warner,department=department,userPrincipalName=userPrincipalName,idNowDescription=391ff9c367aa90a0e1a0c6c174aa1d3dec1d3071148e0e62827858a562397224,st=st,manager=CN=Lisa.Cuddy,ou=[ou],mobile=512-942-7578,primaryGroupDN=primaryGroupDN,cn=Stacy.Warner,facsimileTelephoneNumber=[512-942-7578],l=l,homeMDB=homeMDB,homePostalAddress=11305 Four Points Blvd,SipAddress=SipAddress,o=o,accountFlags=[accountFlags],employeeType=Full Time,preferredDeliveryMethod=preferredDeliveryMethod,primaryGroupID=primaryGroupID,businessCategory=Legal,RegistrarPool=RegistrarPool,msDS-PrincipalName=msDS-PrincipalName,msRADIUSFramedRoute=[msRADIUSFramedRoute],msRADIUSCallbackNumber=msRADIUSCallbackNumber",
                    ""
                ],
                [
                    "Lisa.Cuddy",
                    "Lisa.Cuddy",
                    "House Staff",
                    "Lisa.Cuddy",
                    "mail=james@house.com,teletexTerminalIdentifier=teletexTerminalIdentifier,postalCode=78726,carLicense=[carLicense],telexNumber=telexNumber,employeeNumber=681497,postOfficeBox=postOfficeBox,registeredAddress=registeredAddress,pager=pager,msRTCSIP-UserEnabled=false,mailNickname=mailNickname,LyncPinSet=LyncPinSet,physicalDeliveryOfficeName=abc,sAMAccountName=Lisa.Cuddy,initials=HH,msNPAllowDialin=msNPAllowDialin,givenName=Lisa,homePhone=512-942-7578,objectClass=[objectClass],destinationIndicator=destinationIndicator,postalAddress=postalAddress,internationaliSDNNumber=internationaliSDNNumber,departmentNumber=Administration,objectSid=objectSid,LyncPinLockedOut=LyncPinLockedOut,pwdLastSet=pwdLastSet,msNPCallingStationID=[msNPCallingStationID],msRADIUSFramedIPAddress=msRADIUSFramedIPAddress,preferredLanguage=preferredLanguage,roomNumber=roomNumber,telephoneNumber=512-942-7578,displayName=Lisa Cuddy,distinguishedName=DN=Lisa Cuddy,title=title,seeAlso=seeAlso,uid=uid,secretary=secretary,street=street,objectguid=125,memberOf=[Administration],msExchHideFromAddressLists=false,sn=Cuddy,department=department,userPrincipalName=userPrincipalName,idNowDescription=0fb7bb4cb6c086640ef098f5dd36c5c42500e3a60a116ea936f284a4f70cf45b,st=st,manager=CN=Lisa.Cuddy,ou=[ou],mobile=512-942-7578,primaryGroupDN=primaryGroupDN,cn=Lisa.Cuddy,facsimileTelephoneNumber=[512-942-7578],l=l,homeMDB=homeMDB,homePostalAddress=11305 Four Points Blvd,SipAddress=SipAddress,o=o,accountFlags=[accountFlags],employeeType=Full Time,preferredDeliveryMethod=preferredDeliveryMethod,primaryGroupID=primaryGroupID,businessCategory=Administration,RegistrarPool=RegistrarPool,msDS-PrincipalName=msDS-PrincipalName,msRADIUSFramedRoute=[msRADIUSFramedRoute],msRADIUSCallbackNumber=msRADIUSCallbackNumber",
                    ""
                ],
                [
                    "Robert.Chase",
                    "Robert.Chase",
                    "House Staff",
                    "Robert.Chase",
                    "mail=robert@house.com,teletexTerminalIdentifier=teletexTerminalIdentifier,postalCode=78726,carLicense=[carLicense],telexNumber=telexNumber,employeeNumber=681497,postOfficeBox=postOfficeBox,registeredAddress=registeredAddress,pager=pager,msRTCSIP-UserEnabled=false,mailNickname=mailNickname,LyncPinSet=LyncPinSet,physicalDeliveryOfficeName=abc,sAMAccountName=Robert.Chase,initials=HH,msNPAllowDialin=msNPAllowDialin,givenName=Robert,homePhone=512-942-7578,objectClass=[objectClass],destinationIndicator=destinationIndicator,postalAddress=postalAddress,internationaliSDNNumber=internationaliSDNNumber,departmentNumber=Diagnostics,objectSid=objectSid,LyncPinLockedOut=LyncPinLockedOut,pwdLastSet=pwdLastSet,msNPCallingStationID=[msNPCallingStationID],msRADIUSFramedIPAddress=msRADIUSFramedIPAddress,preferredLanguage=preferredLanguage,roomNumber=roomNumber,telephoneNumber=512-942-7578,displayName=Robert Chase,distinguishedName=DN=Robert Chase,title=title,seeAlso=seeAlso,uid=uid,secretary=secretary,street=street,objectguid=125,memberOf=[Diagnostics],msExchHideFromAddressLists=false,sn=Chase,department=department,userPrincipalName=userPrincipalName,idNowDescription=820ff29573b916d9630205e4cae9a21061284a2866981433c9ef012f644ea326,st=st,manager=CN=Greg.House,ou=[ou],mobile=512-942-7578,primaryGroupDN=primaryGroupDN,cn=Robert.Chase,facsimileTelephoneNumber=[512-942-7578],l=l,homeMDB=homeMDB,homePostalAddress=11305 Four Points Blvd,SipAddress=SipAddress,o=o,accountFlags=[accountFlags],employeeType=Full Time,preferredDeliveryMethod=preferredDeliveryMethod,primaryGroupID=primaryGroupID,businessCategory=Diagnostics,RegistrarPool=RegistrarPool,msDS-PrincipalName=msDS-PrincipalName,msRADIUSFramedRoute=[msRADIUSFramedRoute],msRADIUSCallbackNumber=msRADIUSCallbackNumber",
                    ""
                ]
            ]
        }
    },
    "signedS3Url":"https://sptcbu-org-data-useast1.s3.amazonaws.com/arsenal-john/reports/Events%20Export.2020-05-06%2018%2759%20GMT.3e580592-86e4-4953-8aea-49e6ef20a086.zip?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20200506T185919Z&X-Amz-SignedHeaders=host&X-Amz-Expires=899&X-Amz-Credential=AKIAV5E54XOGTS4Q4L7A%2F20200506%2Fus-east-1%2Fs3%2Raws4_request&X-Amz-Signature=2e753bb97a12a1fd8a215613e3b82fcdae8ba1fb6a25916843ab5m51d2ddefbc"
}
    

Scheduled Trigger

A scheduled trigger was initiated based on the configured CRON schedule.

To use a scheduled trigger, complete the following fields:

Field Required? Description
CRON Interval Yes The CRON expression to represent the time between runs.

The input for the scheduled trigger is a CRON expression and isn't represented in JSON.


Source Account Created

A new account was detected during an account aggregation.

Open "Source Account Created" JSON Sample

{
    "uuid":"b7264868-7201-415f-9118-b581d431c688",
    "id":"ee769173319b41d19ccec35ba52f237b",
    "nativeIdentifier":"",
    "sourceId":"jlasdferquwoep452343214v",
    "sourceName":"Active Directory",
    "identityId":"132rfvwfr14353yas56213l",
    "identityName":"john.doe",
    "attributes":{
        "firstname":"John",
        "lastname":"Doe",
        "email":"john.doe@gmail.com",
        "department":"Sales",
        "displayName":"John Doe",
        "created":"2020-04-27T16:48:33.597Z",
        "employeeNumber":"E009",
        "uid":"E009",
        "inactive":"true",
        "phone":"512-555-1234",
        "manager":"jane.doe",
        "identificationNumber":"E009"
    }
}
    

Source Account Deleted

An account was removed from a source, and this deletion was detected during an account aggregation.

Open "Source Account Deleted" JSON Sample

{
    "uuid":"b7264868-7201-415f-9118-b581d431c688",
    "id":"ee769173319b41d19ccec35ba52f237b",
    "nativeIdentifier":"",
    "sourceId":"jlasdferquwoep452343214v",
    "sourceName":"Active Directory",
    "identityId":"132rfvwfr14353yas56213l",
    "identityName":"john.doe",
    "attributes":{
        "firstname":"John",
        "lastname":"Doe",
        "email":"john.doe@gmail.com",
        "department":"Sales",
        "displayName":"John Doe",
        "created":"2020-04-27T16:48:33.597Z",
        "employeeNumber":"E009",
        "uid":"E009",
        "inactive":"true",
        "phone":"512-555-1234",
        "manager":"jane.doe",
        "identificationNumber":"E009"
    }
}
    

Source Account Updated

One or more account attributes changes were detected during an account aggregation.

Open "Source Account Updated" JSON Sample

{
    "uuid":"b7264868-7201-415f-9118-b581d431c688",
    "id":"ee769173319b41d19ccec35ba52f237b",
    "nativeIdentifier":"",
    "sourceId":"jlasdferquwoep452343214v",
    "sourceName":"Active Directory",
    "identityId":"132rfvwfr14353yas56213l",
    "identityName":"john.doe",
    "attributes":{
        "firstname":"John",
        "lastname":"Doe",
        "email":"john.doe@gmail.com",
        "department":"Sales",
        "displayName":"John Doe",
        "created":"2020-04-27T16:48:33.597Z",
        "employeeNumber":"E009",
        "uid":"E009",
        "inactive":"true",
        "phone":"512-555-1234",
        "manager":"jane.doe",
        "identificationNumber":"E009"
    }
}
    

Source Created

A new source was successfully created.

Open "Source Created" JSON Sample

{
    "id":"2c9180866166b5b0016167c32ef31a66",
    "name":"Test source",
    "type":"DIRECT_CONNECT",
    "created":"2021-03-29T22:01:50.474Z",
    "connector":"active-directory",
    "actor":{
        "id":"ee769173319b41d19ccec6cea52f237b",
        "name":"john.doe",
        "type":"IDENTITY"
    }
}
    

Source Deleted

A source was successfully deleted.

Open "Source Deleted" JSON Sample

{
    "id":"2c9180866166b5b0016167c32ef31a66",
    "name":"Test source",
    "type":"DIRECT_CONNECT",
    "deleted":"2021-03-29T22:01:50.474Z",
    "connector":"active-directory",
    "actor":{
        "id":"ee769173319b41d19ccec6cea52f237b",
        "name":"john.doe",
        "type":"IDENTITY"
    }
}
    

Source Updated

Configuration changes were successfully made to a source.

Open "Source Updated" JSON Sample

{
    "id":"2c9180866166b5b0016167c32ef31a66",
    "name":"Test source",
    "type":"DIRECT_CONNECT",
    "modified":"2021-03-29T22:01:50.474Z",
    "connector":"active-directory",
    "actor":{
        "id":"ee769173319b41d19ccec6cea52f237b",
        "name":"john.doe",
        "type":"IDENTITY"
    }
}
    

VA Cluster Status Change Event

A virtual appliance cluster changed status.

Open "VA Cluster Status Change Event" JSON Sample

{
    "created":"2020-06-29T22:01:50.474Z",
    "type":"Source",
    "application":{
        "id":"2c9180866166b5b0016167c32ef31a66",
        "name":"Production VA Cluster",
        "attributes":{
            "clusterId":"2c9180866166b5b0016167c32ef31a66"
        }
    },
    "healthCheckResult":{
        "status":"Failed",
        "resultType":"SOURCE_STATE_FAILURE_SOURCE",
        "message":" Test Connection failed with exception.  Error message - java.lang.Exception"
    },
    "previousHealthCheckResult":{
        "status":"Failed",
        "resultType":"SOURCE_STATE_HEALTHY",
        "message":"Source is healthy."
    }
}
    

Actions

Each action receives input from the data flow and performs an action in IdentityNow. The values you enter in the fields for each action help determine what is done and how. The result of each action, in JSON format, is added to the workflow's data flow.

The value for each field must be either a variable from a previous step or a static, fixed value. Select which format you'll be using for each field before entering the value and saving your workflow.

There are some fields that you will see in every action:

  • Name - The name of the action. This must be unique within the workflow you create, so that it can be used in Next steps and conditional logic. With the workflow builder, this name is automatically generated based on the action type.
  • Description - This is an optional field to allow you to record details about this action and its importance or intent in this workflow.

Each action is allowed a period of time before it times out. If an action times out, the workflow fails.

Below, you can find a list of all actions currently available for workflows, as well as the unique fields and timeout period for each action. If a particular action adds any JSON to the workflow, a sample of that JSON is available.


Activate Certification Campaign

Activates the certification campaign with the selected ID.

Field Required? Description
Campaign ID Yes The ID of the campaign to activate.

If you add this action to your workflow and you don't have the Certifications service, your workflow will fail. This step will time out if it takes longer than 2 hours to complete.


Approve Access Request

Approves an access request with the selected ID and leaves a comment.

Field Required? Description
Access Request ID Yes The ID of the access request to approve.
Comment Yes Provide a comment to leave on the access request's approval.

If you add this action to your workflow and you don't have the Access Request service, your workflow will fail. This step will time out if it takes longer than 90 seconds to complete.


Create Certification Campaign

Creates a new certification campaign. The campaign must be activated separately.

Field Description
Campaign Name The name of the campaign.
Campaign Description A description of the campaign.
Reviewer Type The type of reviewer to use for this campaign. If you select Manager, a certification is created for all identities in your site and each identity's manager will review their access. You can also choose Source Owner to certify all access for one or more sources. If you choose Individual or Governance Group, you can select a specific identity or group to review the access of one or more identities or access items.
Campaign Duration The length of time the certification campaign should run. Choose a time period and then a unit.
AI Recommendations Choose whether or not to include recommendations from the Access Recommendations service in this campaign. If you don't have this service, this field is disabled.
Email Notifications Choose whether or not to send reminder emails associated with the campaign.
Start Campaign when Created Choose whether or not to activate the campaign once it's created. If you disable this option, you must activate the campaign separately.
Undecided Access Items Choose whether to maintain or automatically revoke undecided access items when the campaign ends.
If you selected Source Owner under Reviewer Type:
Source IDs Enter the IDs of all sources to include in the campaign. A single ID can be represented as a string. If including multiple IDs, enclose them in brackets and separate them with spaces. For example, [ID1 ID2 ID3]
If you selected Individual under Reviewer Type:
Reviewer Identity Select the identity that should be responsible for reviewing this certification.
Certification Type Choose whether to use an identity certification to certify the access of one or more identities, or to use an access certification to certify whether each identity that has specific access items should have that access.
If you selected Access Certification in Certification Type under Individual:
Access Type Choose the type of access to be included in this campaign.
Access Filter Choose whether to certify all access of the selected type or only specific access items. If you choose specific access items, use the Access Filter field to choose the IDs of access. You can also enter the ID values manually in a JSON array using this format: [“id1”, “id2”, “id3”]
If you selected Identity Certification in Certification Type under Individual:
Identities to Certify Select the identities to certify in the campaign.
If you selected Governance Group under Reviewer Type:
Governance Group Select a governance group to review this campaign.
Certification Type Choose whether to use an identity certification to certify the access of one or more identities, or to use an access certification to certify whether each identity that has specific access items should have that access.
If you selected Access Certification in Certification Type under Governance Group:
Access Type Choose the type of access to be included in this campaign.
Access Filter Choose whether to certify all access of the selected type or only specific access items. If you choose specific access items, use the Access Filter field to choose the IDs of access. You can also enter the ID values manually in a JSON array using this format: [“id1”, “id2”, “id3”]
If you selected Identity Certification in Certification Type under Governance Group:
Identities to Certify Select the identities to certify in the campaign.

If you add this action to your workflow and you don't have the Certifications service, your workflow will fail. This step will time out if it takes longer than 36 hours to complete.

This action returns a JSON blob when it completes successfully.

Open "Create Certification Campaign" JSON Sample

{
    "id":"2c918086719eec070171a7e3355a360a",
    "name":"Manager Review",
    "description":"A review of everyone's access by their manager.",
    "deadline":"2020-12-25T06:00:00.123Z",
    "type":"MANAGER",
    "status":"ACTIVE",
    "emailNotificationEnabled":false,
    "autoRevokeAllowed":false,
    "recommendationsEnabled":false,
    "filter":{
       "type":"CAMPAIGN_FILTER",
       "id":"e0adaae69852e8fe8b8a3d48e5ce757c"
    }
}
    

Create Request for Access

Submits an access request for the selected list of users.

The Create Request for Access step has been replaced by the Manage Access step. To create an access request in a workflow, use the Manage Access step and select Add Access.

This step will time out if it takes longer than 90 seconds to complete.


Deny Access Request

Denies an access request by ID and leaves a comment.

Field Required? Description
Access Request ID Yes The ID of the access request to deny.
Comment Yes Provide a comment to leave on the access request's denial.

If you add this action to your workflow and you don't have the Access Request service, your workflow will fail. This step will time out if it takes longer than 90 seconds to complete.


Disable Account

Disables an account on a source by its technical ID.

The Disable Account step has been replaced by the Manage Accounts step. To disable an account in a workflow, use the Manage Accounts step and select Disable Accounts.

This step will time out if it takes longer than 2 minutes to complete.

This action returns a JSON blob when it completes successfully.

Open "Disable Account" JSON Sample

{
    "id":"2c91803654683da6017468123c260195"
}
    

Enable Account

Enables an account on a source by its technical ID.

The Enable Account step has been replaced by the Manage Accounts step. To enable an account in a workflow, use the Manage Accounts step and select Enable Accounts.

This step will time out if it takes longer than 2 minutes to complete.

This action returns a JSON blob when it completes successfully.

Open "Enable Account" JSON Sample

{
    "id":"2c91803654683da6017468123c260195"
}
    

Get Access

Gets a set of access items held by a selected identity or found through a search query.This step returns a maximum of 250 access items and is often used in conjunction with the Manage Access step.

Field Description
Access Selection Method Select how to determine the access that will be returned. Options are By Identity and By Search Query.
If you select By Identity:
By Identity Select an identity from the dropdown list, or use Choose Variable to select an identity from the input.
If you select By Search Query:
By Search Query Enter a search query to return specific access.

Underneath these fields, you select the checkbox beside the types of access you want to return. The options are access profiles, roles, and entitlements.

This step will time out if it takes longer than 1 minute to complete.

This action returns a JSON blob when it completes successfully. The sample JSON blob below includes an entitlement, a role, and an access profile. This is the format that the Manage Access step expects.

Open "Get Access" JSON Sample

{
    "accessItems":[
        {
            "id":"2c9180847fdd00e1017ff5afb9c31f4e",
            "name":"CN=AD Access,OU=pod-name,DC=Test",
            "type":"entitlement"
        },
        {
            "id":"2c9180867ff523f4017ff5b17ff500af",
            "name":"Sales Role",
            "type":"role"
        },
        {
            "id":"2c9180887ff4d87e017ff5b1192b010e",
            "name":"Access to AD",
            "type":"accessprofile"
        }
    ]
}
    

Get Access Request Recommendations

Gets a list of the recommended access requests for the specified user.

Field Required? Description
Get Access Request Recommendations Yes The ID of the identity for whom to retrieve access request recommendations.

If you add this action to your workflow and you don't have the Access Request and Recommendations AI services, your workflow will fail.

This step will time out if it takes longer than 90 seconds to complete.

This action returns a JSON blob when it completes successfully.

Open "Get Access Request Recommendation" JSON Sample

{
    "response":[
        {
            "request":{
                "identityId":"2c91803654683da6017468123c260195",
                "item":{
                    "id":"2c938083633d259901633d2623ec0375",
                    "type":"ENTITLEMENT"
                }
            },
            "recommendation":"YES",
            "interpretations":[
                "75% of identities with the same department have this access. This information had a high impact on the overall score.",
                "67% of identities with the same peer group have this access. This information had a low impact on the overall score.",
                "42% of identities with the same location have this access. This information had a low impact on the overall score."
            ],
            "translationMessages":[
                {
                    "key":"recommender-api.V2_WEIGHT_FEATURE_PRODUCT_INTERPRETATION_HIGH",
                    "values":[
                        "75",
                        "department"
                    ]
                }
            ],
            "recommenderCalculations":{
                "identityId":"2c91808457d8f3ab0157e3e62cb4213c",
                "entitlementId":"2c91809050db617d0150e0bf3215385e",
                "recommendation":"YES",
                "overallWeightedScore":0,
                "featureWeightedScores":{
                    "property1":0,
                    "property2":0
                },
                "threshold":0,
                "identityAttributes":{
                    "property1":{
                        "value":"string"
                    },
                    "property2":{
                        "value":"string"
                    }
                },
                "featureValues":{
                    "feature":"department",
                    "numerator":0,
                    "denominator":0
                }
            }
        }
    ]
}
    

Get Accounts

Gets one or more source accounts. This step returns a maximum of 250 accounts and is often used in conjunction with Manage Accounts.

Field Description
Account Selection Method Select By Identity to choose an identity and return its accounts. Select By Account Data to filter the accounts returned by details about the accounts.
If you selected By Identity:
Accounts By Identity Select an identity using the dropdown list or use Choose Variable to select the technical ID of an identity from the input. All accounts of the selected identity will be returned.
If you selected By Account Data:
Account Details Select an option to return accounts using details related to the account. options include the Technical ID of the account, the technical Identity ID, the Account Name, the native Account ID, the Source ID, and the Uncorrelated status.
Operator How to compare the value of the selected account detail with the Value field below. At this time, the valid option is Equals.
Value Enter a value to compare to the selected account detail you selected and return accounts that match your requirements.

This step will time out if it takes longer than 1 minute to complete.

This action returns a JSON blob when it completes successfully.

Open "Get Accounts" JSON Sample

{
    "accounts":[
        {
            "id":"id12345",
            "name":"aName",
            "created":"2019-08-24T14:15:22Z",
            "modified":"2019-08-24T14:15:22Z",
            "sourceId":"2c9180835d2e5168015d32f890ca1581",
            "identityId":"2c9180835d2e5168015d32f890ca1581",
            "attributes":{

            },
            "authoritative":true,
            "description":"string",
            "disabled":true,
            "locked":true,
            "nativeIdentity":"string",
            "systemAccount":true,
            "uncorrelated":true,
            "uuid":"string",
            "manuallyCorrelated":true,
            "hasEntitlements":true
        }
    ]
}
    

Get Certification Campaign

Gets data about the specified certification campaign.

Field Required? Description
Campaign ID Yes The ID of the campaign to get.

If you add this action to your workflow and you don't have the Certifications service, your workflow will fail. This step will time out if it takes longer than 1 minute to complete.

This action returns a JSON blob when it completes successfully.

Open "Get Certification Campaign" JSON Sample

{
    "id":"2c918086719eec070171a7e3355a360a",
    "name":"Manager Review",
    "description":"A review of everyone's access by their manager.",
    "deadline":"2020-12-25T06:00:00.123Z",
    "type":"MANAGER",
    "status":"ACTIVE",
    "emailNotificationEnabled":false,
    "autoRevokeAllowed":false,
    "recommendationsEnabled":false
}
    

Get Identities

Gets data about a list of one or more identities, including all their default and custom attributes.

You can choose how to find the identities you want to manage. Additional fields will be displayed based on your choice.

In the Find Identities By field, choose an option. Additional fields appear when you select how to return identities.

Field Description
Search Query Enter a search query to return one or more identities.
Saved Search Choose a saved search from the dropdown list.
Tag Find identities that have a specific tag.
Managers Select one or more managers. All of the identities that report to one of those managers will be returned.
Direct Reports Select one or more identities. All of the managers of those identities will be returned.

This step will time out if it takes longer than 1 minute to complete.

This action returns a JSON blob when it completes successfully.

Open "Get Identities" JSON Sample

{
    "identities":[
        {
            "id":"2c9180865c45e7e3015c46c434a80622",
            "name":"ad.admin",
            "_type":"identity",
            "firstName":"AD",
            "lastName":"Admin",
            "displayName":"AD Admin",
            "email":"SLPT.CLOUD.SAILPOINT.TEST+AD-ADMIN@GMAIL.COM",
            "created":"2018-08-22T19:54:54.302Z",
            "modified":"2018-08-22T19:54:54.302Z",
            "synced":"2018-08-22T19:54:54.302Z",
            "phone":"512-942-7578",
            "inactive":false,
            "protected":false,
            "status":"UNREGISTERED",
            "employeeNumber":"O349804",
            "manager":null,
            "isManager":false,
            "identityProfile":{
                "id":"2c918085605c8d0601606f357cb231e6",
                "name":"E2E AD"
            },
            "source":{
                "id":"2c9180855c45b230015c46c19b9c0202",
                "name":"EndToEnd-ADSource"
            },
            "attributes":{
                "uid":"ad.admin",
                "firstname":"AD",
                "cloudAuthoritativeSource":"2c9180855c45b230015c46c19b9c0202",
                "cloudStatus":"UNREGISTERED",
                "iplanet-am-user-alias-list":null,
                "displayName":"AD Admin",
                "internalCloudStatus":"UNREGISTERED",
                "workPhone":"512-942-7578",
                "email":"SLPT.CLOUD.SAILPOINT.TEST+AD-ADMIN@GMAIL.COM",
                "lastname":"Admin"
            },
            "processingState":null,
            "processingDetails":null,
            "accounts":[
                {
                    "id":"2c9180865c45e7e3015c46c434a80623",
                    "name":"ad.admin",
                    "accountId":"CN=AD Admin,OU=slpt-automation,DC=TestAutomationAD,DC=local",
                    "source":{
                        "id":"2c9180855c45b230015c46c19b9c0202",
                        "name":"EndToEnd-ADSource",
                        "type":"Active Directory - Direct"
                    },
                    "disabled":false,
                    "locked":false,
                    "privileged":false,
                    "manuallyCorrelated":false,
                    "passwordLastSet":"2018-08-22T19:54:54.302Z",
                    "entitlementAttributes":{
                        "memberOf":[
                            "CN=Group Policy Creator Owners,CN=Users,DC=TestAutomationAD,DC=local",
                            "CN=Domain Guests,CN=Users,DC=TestAutomationAD,DC=local",
                            "CN=Domain Admins,CN=Users,DC=TestAutomationAD,DC=local",
                            "CN=Enterprise Admins,CN=Users,DC=TestAutomationAD,DC=local",
                            "CN=Schema Admins,CN=Users,DC=TestAutomationAD,DC=local",
                            "CN=Guests,CN=Builtin,DC=TestAutomationAD,DC=local",
                            "CN=Administrators,CN=Builtin,DC=TestAutomationAD,DC=local"
                        ]
                    },
                    "created":"2018-08-22T19:54:54.302Z"
                },
                {
                    "id":"2c918083606d670c01606f35a30a0349",
                    "name":"ad.admin",
                    "accountId":"ad.admin",
                    "source":{
                        "id":"ff8081815c46b85b015c46b90c7c02a6",
                        "name":"IdentityNow",
                        "type":"IdentityNowConnector"
                    },
                    "disabled":false,
                    "locked":false,
                    "privileged":false,
                    "manuallyCorrelated":false,
                    "passwordLastSet":null,
                    "entitlementAttributes":null,
                    "created":"2018-08-22T19:54:54.302Z"
                }
            ],
            "accountCount":2,
            "apps":[
                {
                    "id":"22751",
                    "name":"ADP Workforce Now",
                    "source":{
                        "id":"2c9180855c45b230015c46e2f6a8026a",
                        "name":"Corporate Active Directory"
                    },
                    "account":{
                        "id":"2c9180865c45efa4015c470be0de1606",
                        "accountId":"CN=Bob Wilson,OU=Austin,OU=Americas,OU=Demo,DC=seri,DC=acme,DC=com"
                    }
                }
            ],
            "appCount":1,
            "access":[
                {
                    "id":"2c918083634bc6cb01639808d40270ba",
                    "name":"test [AccessProfile-1527264105448]",
                    "displayName":"test",
                    "type":"ACCESS_PROFILE",
                    "description":"test",
                    "source":{
                        "id":"2c9180855c45b230015c46c19b9c0202",
                        "name":"EndToEnd-ADSource"
                    },
                    "owner":{
                        "id":"2c9180865c45e7e3015c46c434a80622",
                        "name":"ad.admin",
                        "displayName":"AD Admin"
                    }
                },
                {
                    "id":"2c9180865c45e7e3015c46c457c50755",
                    "name":"Administrators",
                    "displayName":"Administrators",
                    "type":"ENTITLEMENT",
                    "description":null,
                    "source":{
                        "id":"2c9180855c45b230015c46c19b9c0202",
                        "name":"EndToEnd-ADSource"
                    },
                    "privileged":false,
                    "attribute":"memberOf",
                    "value":"CN=Administrators,CN=Builtin,DC=TestAutomationAD,DC=local",
                    "standalone":false
                },
                {
                    "id":"2c9180865decdaa5015e06598b293108",
                    "name":"test [cloudRole-1503345085223]",
                    "displayName":"test",
                    "type":"ROLE",
                    "description":"test",
                    "owner":{
                        "id":"2c9180865c45e7e3015c46c5030707a0",
                        "name":"will.albin",
                        "displayName":"Albin Will"
                    },
                    "disabled":false
                }
            ],
            "accessCount":3,
            "accessProfileCount":1,
            "entitlementCount":1,
            "roleCount":1,
            "tags":[
                "TAG_1",
                "TAG_2"
            ]
        }
    ]
}
    

Get Identity

Gets data about a single identity, including all of their default and custom attributes.

Field Required? Description
Identity ID Yes The technical ID of the identity to get.

This step will time out if it takes longer than 1 minute to complete.

This action returns a JSON blob when it completes successfully.

Open "Get Identity" JSON Sample

{
   "alias":"Abigail.5fd9918291",
   "attributes":{
      "cloudAuthoritativeSource":"2c91808a7e78ccef017e7901d4260195",
      "cloudStatus":"ACTIVE",
      "displayName":"Abigail 5fd9918291",
      "email":"Abigail.5fd9918291@testmail.identitysoon.com",
      "firstname":"Abigail",
      "internalCloudStatus":"ACTIVE",
      "lastSyncDate":"9fc13da4c7e4b960237b21949876ea8d3f3fc19c66b5e9b62dcccaa819db050e",
      "lastname":"5fd9918291",
      "personalEmail":"mail@example.com",
      "phone":"+1 416-797-0381",
      "uid":"Abigail.5fd9918291",
      "visibleSegments":[
         "85030dab-d253-43eb-95c6-b6023e8c127a"
      ],
      "workPhone":"512-942-7578"
   },
   "created":"2022-01-20T19:42:00.982Z",
   "emailAddress":"Abigail.5fd9918291@testmail.identitysoon.com",
   "id":"2c91808a7e78aabb017e79029b160461",
   "identityStatus":"ACTIVE",
   "isManager":false,
   "lastRefresh":"2022-06-19T16:40:55.055Z",
   "managerRef":{
      "id":"2c91808c7e78aabd017e79029cb9045e",
      "name":"Herbert 2ca592eefa",
      "type":"IDENTITY"
   },
   "modified":"2022-08-09T01:06:10.872Z",
   "name":"Abigail 5fd9918291",
   "processingState":null
}
    

Get Identity Attributes

Gets a list of the custom identity attributes in your site and details about the last identity to update any of them.

This action is being deprecated.

Get Identity History

Gets the audit events related to access changes for a specific identity.

Field Description
Identity Select an identity, or enter a JSONPath expression to select the technical ID of an identity. Audit events from the selected identity will be returned.
From Optionally choose a date to return events only on or after that date.
Event Type Optionally enter the type of event to return. These are: AccessItemAssociated, AccessItemRemoved, AttributesChanged, AccessRequested, IdentityCertified, and AccountStatusChanged.

[
    {
        "accessItem":{
            "accessType":"accessProfile",
            "appRefs":[
                {
                    "cloudAppId":"4596769",
                    "cloudAppName":"Access Request App"
                }
            ],
            "description":"Access to entitlement AD Access request",
            "displayName":"Access to entitlement AD Access request",
            "entitlementCount":1,
            "id":"2c9180887ff4d87e017ff5b1192b010e",
            "sourceId":"2c9180857fef847b017ff5aefb7f1723",
            "sourceName":"ODS-AD-Source"
        },
        "accessItemType":"accessProfile",
        "dateTime":"2022-04-04T17:48:47.356Z",
        "dt":"2022-04-04T17:48:47.356Z",
        "eventType":"AccessItemAssociated",
        "governanceEvent":null,
        "identityId":"2c9180827fed4bf5017ff5afb9842b57"
    },
    {
        "accessItem":{
            "accessType":"app",
            "displayName":"Access Request App",
            "id":"4596769",
            "sourceName":null
        },
        "accessItemType":"app",
        "dateTime":"2022-04-04T17:48:47.356Z",
        "dt":"2022-04-04T17:48:47.356Z",
        "eventType":"AccessItemAssociated",
        "governanceEvent":null,
        "identityId":"2c9180827fed4bf5017ff5afb9842b57"
    }
]

This step will time out if it takes longer than 1 minute to complete.


Get Pending Access Requests

Gets up to 250 pending access requests.

Field Description
Reviewer Select a reviewer. All access requests that list that identity as one of their reviewers will be returned.
Filter Results Optionally apply additional filters using the Standard Collection Parameters.

This step will time out if it takes longer than 1 minute to complete.


[
    {
        "id":"id12345",
        "name":"aName",
        "created":"2017-07-11T18:45:37.098Z",
        "modified":"2018-07-25T20:22:28.104Z",
        "requestCreated":"2017-07-11T18:45:35.098Z",
        "requestType":"GRANT_ACCESS",
        "requester":{
            "type":"IDENTITY",
            "id":"2c91808568c529c60168cca6f90c1313",
            "name":"William Wilson"
        },
        "requestedFor":{
            "type":"IDENTITY",
            "id":"2c91808568c529c60168cca6f90c1313",
            "name":"William Wilson"
        },
        "owner":{
            "type":"IDENTITY",
            "id":"2c91808568c529c60168cca6f90c1313",
            "name":"William Wilson"
        },
        "requestedObject":{
            "id":"2c9180835d2e5168015d32f890ca1581",
            "name":"Applied Research Access",
            "description":"Access to research information, lab results, and schematics",
            "type":"ROLE"
        },
        "requesterComment":{
            "comment":"Et quam massa maximus vivamus nisi ut urna tincidunt metus elementum erat",
            "author":{
                "type":"IDENTITY",
                "id":"2c91808568c529c60168cca6f90c1313",
                "name":"Adam Kennedy"
            },
            "created":"2017-07-11T18:45:37.098Z"
        },
        "previousReviewersComments":[
            {
                "comment":"Et quam massa maximus vivamus nisi ut urna tincidunt metus elementum erat",
                "author":{
                    "type":"IDENTITY",
                    "id":"2c91808568c529c60168cca6f90c1313",
                    "name":"Adam Kennedy"
                },
                "created":"2017-07-11T18:45:37.098Z"
            }
        ],
        "forwardHistory":[
            {
                "oldApproverName":"frank.mir",
                "newApproverName":"al.volta",
                "comment":"Fusce id orci vel consectetur amet ipsum quam.",
                "modified":"2019-08-23T18:52:57.398Z"
            }
        ],
        "commentRequiredWhenRejected":true,
        "actionInProcess":"APPROVED",
        "removeDate":"2020-07-11T00:00:00Z",
        "removeDateUpdateRequested":true,
        "currentRemoveDate":"2020-07-11T00:00:00Z",
        "sodViolationContext":{
            "state":"SUCCESS",
            "uuid":"f73d16e9-a038-46c5-b217-1246e15fdbdd",
            "violationCheckResult":{
                "message":{
                    "locale":"en-US",
                    "localeOrigin":"DEFAULT",
                    "text":"The request was syntactically correct but its content is semantically invalid."
                },
                "clientMetadata":{
                    "requestedAppName":"test-app",
                    "requestedAppId":"2c91808f7892918f0178b78da4a305a1"
                },
                "violationContexts":[
                    {
                        "policy":{
                            "type":"IDENTITY",
                            "id":"2c91808568c529c60168cca6f90c1313",
                            "name":"William Wilson"
                        },
                        "conflictingAccessCriteria":{
                            "leftCriteria":{
                                "criteriaList":[
                                    {

                                    }
                                ]
                            },
                            "rightCriteria":{
                                "criteriaList":[
                                    {

                                    }
                                ]
                            }
                        }
                    }
                ],
                "violatedPolicies":[
                    {
                        "type":"IDENTITY",
                        "id":"2c91808568c529c60168cca6f90c1313",
                        "name":"William Wilson"
                    }
                ]
            }
        }
    }
]


HTTP Request

Makes an HTTP request to an external system. If the external system provides a response, it must be in JSON format.

This step will time out if it takes longer than 90 seconds to complete.

Field Description
Authentication Type The type of authentication to use. The options for this field are Basic Authentication, Custom Authorization, and OAuth 2.0 - Client Credentials Grant.
If you selected Basic Authentication:
User Name The user name authorized to access the HTTP service.
Password The password corresponding to the user name.
Method The HTTP method to use. The options are POST, GET, PUT, PATCH, and DELETE.
Request URL The URL of the service endpoint.
Query Parameters The parameters appended to the URL.
Request Headers The headers required by the service endpoint.
If you selected Custom Authorization:
Header Name The name or key required by the HTTP service.
Header Value The value required by the HTTP service.
Request URL The URL of the service endpoint.
Query Parameters The parameters appended to the URL.
Method The HTTP method to use. The options are POST, GET, PUT, PATCH, and DELETE.
If you selected OAuth 2.0 - Client Credentials Grant:
Token URL The URL to retrieve the token.
Client ID The client ID, similar to a user name.
Client Secret The client secret, similar to a password.
Credential Location Whether to include the credentials in the header or the body of the request. This is determined by the requirements of the external system being called. If the credentials are in the incorrect part of the request, the workflow might return a 401 error.
Scope The scope parameters required by some third-party systems. To include multiple scope values in a single parameter, separate values with spaces. To include multiple scope values in multiple parameters, separate values with new lines.
Request URL The URL of the service endpoint.
Query Parameters The parameters appended to the URL.
Request Headers The headers required by the service endpoint.
If you selected POST, PUT, or PATCH in the Method field of any of the above options:
Request Content Type The type of content to include in the request body. The options are CSV, Form, JSON, and plain text.
Request Body The body of your request in the format you specified.

Manage Access

Adds or removes access items on one or more identities.

Note

The Manage Access action cannot revoke individual entitlements from identities.

This step's input must be a list of objects in the same format as is provided by the Get Access step. This includes a JSON body similar to this example:


{
    "accessItems":[
        {
            "id":"technicalID",
            "name":"accessItemName",
            "type":"accessItemType"
        }
    ]
}

When this step is used, the workflow submits a request to the external system to process the access change.

  • If the access item requires an approval process before it's granted or removed, that process begins and the workflow continues as soon as the request has been submitted, without waiting for the request to be granted or denied.
    • If you need to wait for the access request to be decided before the workflow continues, end this workflow and create a new one using the Access Request Decision trigger.
  • If the access item doesn't require approval, the workflow does not wait for confirmation from the source that the access was updated before continuing.
    • If you need to make sure the access is updated on the identity's source account before the workflow continues, add a Wait step after the Manage Access step.
Field Description
Request Type Choose whether to add or remove access.
Identities Select one or more identities from the dropdown list that should receive this access or have it removed. You can also use Choose Variable to choose the technical IDs of the identities using JSONPath.
Access to Manage Select the access items to manage. The input to this step must be a list of access objects in the format listed above. The Get Access step provides this input in the correct format.
Comments Provide a comment about why this access is changing.
If you selected Add Access under Request Type, the Select Duration field will appear. Optionally enter the length of time that the user should have the access and select a unit.

This step will time out if it takes longer than 30 minutes total to complete.

This action returns a JSON blob when it completes successfully.

Open "Manage Access" JSON Sample

{
    "failedAccessRequests":[
        {
            "id":"2c918089759466e10175c2b5486d0b85",
            "name":"Access Profile 1",
            "type":"ACCESS_PROFILE"
        }
    ],
    "successfulAccessRequests":[
        {
            "id":"2c918089759466e10175adadf0d30567",
            "name":"Role 1",
            "type":"ROLE"
        },
        {
            "id":"2c91808c759466e80175adae75720526",
            "name":"Role 2",
            "type":"ROLE"
        },
        {
            "id":"2c918089759466e10175b9236b7b08e0",
            "name":"Access Profile 2",
            "type":"ACCESS_PROFILE"
        },
        {
            "id":"2c918089759466e10175c2b5486d0b85",
            "name":"Access Profile 3",
            "type":"ACCESS_PROFILE"
        }
    ]
}
    

Manage Accounts

Deletes, disables, enables, or unlocks a source account.

Field Description
Account Action Select an action to take on the selected accounts. Valid options are Delete, Disable, Enable, or Unlock.
Select Accounts Choose one or more accounts to act on. If selecting the IDs of accounts from the Get Accounts step, use the JSONPath $.getAccounts.accounts[*].id. The [*].id must be added to the variable chosen by the Variable Selector.

Note

The Delete option is only applicable to accounts on flat file sources.

This step will time out if it takes longer than 1 hour to complete.

This action returns a JSON blob when it completes successfully. The object in this JSON body is the ID of the account that was updated.

Open "Manage Accounts" JSON Sample

{
   "id":"2c91808474683da6017468693c260195"
}
    

Manage ServiceNow Ticket

Creates a new ServiceNow ticket, or returns or updates the status of an existing ticket.

Field Description
Authentication Type Select the type of authentication.
Request URL Enter the ServiceNow endpoint's URL.
Action Select the action you want to perform. The options are Create new ticket, Update ticket status, and Get ticket status.
If you selected OAuth 2.0 - Client Credentials Grant under Authentication Type:
Token URL Enter the URL of the token.
Client ID Enter your client ID.
Client Secret Enter your client secret.
ServiceNow Username Enter the username authorized to access ServiceNow.
ServiceNow Password Enter the password corresponding the the username.
Request URL Enter the ServiceNow endpoint's URL.
If you selected Basic Authentication under Authentication Type:
ServiceNow Username Enter the username authorized to access ServiceNow.
ServiceNow Password Enter the password corresponding the the username.
Request URL Enter the ServiceNow endpoint's URL.
If you selected Create new ticket under Action:
Caller Enter the ServiceNow username of the caller.
Watchlist Enter the ServiceNow usernames of users you want to receive notifications about this ticket.
Short Description Enter a short description about the ticket.
Description Add additional details about the ticket.
Category Enter a category for the ticket.
Sub-Category Enter a sub-category for the ticket.
Urgency Select the urgency of the ticket.
Additional Fields Enter any additional fields required by ServiceNow and their values in key:value pairs, separated by line breaks.
If you selected Update ticket status under Action:
Ticket ID Enter the ID of the ticket you want to update.
Status Select the ticket's new status.
If you selected Get ticket status under Action:
Ticket ID Enter the ID of the ticket you want to get the status of.

This action returns a JSON blob when it completes successfully.

Open "ServiceNow" JSON Sample

         "problem_id":"",
         "reassignment_count":"0",
         "reopen_count":"0",
         "reopened_by":"",
         "reopened_time":"",
         "resolved_at":"",
         "resolved_by":"",
         "rfc":"",
         "route_reason":"",
         "service_offering":"",
         "severity":"3",
         "short_description":"Ticket created from SP IDN Workflows",
         "sla_due":"",
         "state":"1",
         "subcategory":"email",
         "sys_class_name":"incident",
         "sys_created_by":"workflows",
         "sys_created_on":"2022-09-19 04:52:44",
         "sys_domain":{
            "link":"https://ven04069.service-now.com/api/now/table/sys_user_group/global",
            "value":"global"
         },
         "sys_domain_path":"/",
         "sys_id":"5cfdc551db869910349c6ce2ca96192d",
         "sys_mod_count":"0",
         "sys_tags":"",
         "sys_updated_by":"workflows",
         "sys_updated_on":"2022-09-19 04:52:44",
         "task_effective_number":"INC0010006",
         "time_worked":"",
         "universal_request":"",
         "upon_approval":"proceed",
         "upon_reject":"cancel",
         "urgency":"3",
         "user_input":"",
         "watch_list":"",
         "work_end":"",
         "work_notes":"",
         "work_notes_list":"",
         "work_start":""
      }
   },
   "headers":null,
   "responseTime":"0.476802 seconds",
   "statusCode":201
}
    

Request Access Removal

Requests the removal of one or more access items from a list of identities.

The Request Access Removal step has been replaced by the Manage Access step. To request access removal in a workflow, use the Manage Access step and select Remove Access.

This step will time out if it takes longer than 90 seconds to complete.


Send Email

Sends an email to the specified identity.

Field Required? Description
Recipient Addresses Yes The email address that should receive this email. Select or enter up to 10 email addresses.
Reply-To Address No The email address to use as the reply-to address. If left blank, this uses the "From" address on the Branding page.
From Address No The email address to use as the sender address. If left blank, this uses the "From" address on the Branding page.
Subject No The subject line of the email.
Body No The body of the email.
Templating Context No The map of variables to be passed to the email template. Use the format {"variable1.$":"$.JSONPathVariableSelection1", "variable2.$":"$.JSONPathVariableSelection2"}. The variable in each map can be used to represent the value selected by the JSONPath in the second part of each map and entered in the email template using the format ${variable}.

Templating Context Example

The following example uses JSONPath to select the username of an identity in the Get Identity step and assign it the variable "name":
{"name.$":"$.getIdentity.name"}
To use the username variable within the body of the email, the following can be used in the Body field:
"Your username is ${name}."
In the final rendered email, the identity's username will be displayed in place of the variable.

This step will time out if it takes longer than 1 minute to complete.


Send Slack Message

Sends a direct Slack message to the specified user.

Field Required? Description
Recipient Yes The name of the user that should receive the Slack message.
Message Yes The body of the Slack message.

Unlock Account

Unlocks an account on a source by the specified technical ID.

The Unlock Account step has been replaced by the Manage Accounts step. To unlock an account in a workflow, use the Manage Accounts step and select Unlock Accounts.

This step will time out if it takes longer than 2 minutes to complete.

This action returns a JSON blob when it completes successfully.

Open "Unlock Account" JSON Sample

{
    "id":"2c91803654683da6017468123c260195"
}
    

Wait

Pauses the workflow's execution for a set period of time.

Field Required? Description
Type Yes Choose Wait For to configure the step to pause for a time duration or Wait Until to wait until a specific date and time.
If you selected Wait For:
Wait Duration Yes The length of time to pause the workflow. Choose a number and select the time unit. Choose a time period between 60 seconds and 30 days.
If you selected Wait Until:
Future Date Yes The date when this workflow should resume. This can be pulled from a variable in the workflow. Choose a date no more than 180 days in the future.
Time Yes The time on the specified date when this workflow should resume. This field only appears when the Type is Wait Until.

This step will time out if it takes longer than 182 days to complete.


Operators

Operators allow you to make comparisons between values and, based on the results of that comparison, choose a new path for your workflow to follow.


Boolean

A boolean operator is a type of choice operator. It compares two boolean (true or false) values.

Field Required? Description
Value 1 No A JSONPath expression to a TRUE or FALSE value in the step's input, to be compared with Value 2.
Comparison Operator Yes The operator Equals.
Value 2 No A static value or a JSONPath expression to another value in the input, to be compared with Value 1.

Compare Numbers

A compare numbers operator is a type of choice operator. It compares two numerical values.

Field Required? Description
Value 1 No A JSONPath expression to an integer value in the step's input, to be compared with Value 2.
Comparison Operator Yes The operator to use to compare Value 1 to Value 2.
Value 2 No A static value or JSONPath expression to another value in the input, to be compared with Value 1.

Compare Strings

A Compare Strings operator is a type of choice operator. It compares two text, or string, values.

Field Required? Description
Value 1 No A JSONPath expression to a string value in the step's input, to be compared with Value 2.
Comparison Operator Yes The operator to use to compare Value 1 to Value 2.
Value 2 No A static value or a JSONPath expression to another value in the input, to be compared with Value 1.

Loop

The Loop operator allows you to choose a set of steps to perform on a list of items.

To use the Loop operator, drag a set of steps into the canvas inside the tile. This set of steps can include actions and operators, including choice operators. It must meet many of the same requirements as the workflow itself.

Within the Loop step:

  • All steps must be connected to at least one other step.
  • Each branch within the Loop step must have an end step, so that the loop knows when to finish with an object and restart the set of steps on a new object.
  • This end step within the loop does not replace the end step outside of the loop, which signifies the end of the entire workflow instead of the loop itself.

The steps in a loop are executed on items from the input list in parallel with each other. Items are not guaranteed to be processed in any specific order.

Later actions and operators in the workflow can begin before the loop step has finished iterating over all objects in the list. However, the workflow itself can't end until the loop has finished executing. For this reason, adding additional steps outside of the loop between the Loop operator and the end step is not recommended.

Field Required? Description
Loop Input Yes A JSONPath expression to an array, or list, type attribute from the output of a previous step. The Loop operator will iterate through the objects in this array and perform the steps in the loop on these objects.

Loop Input Information

The Loop operator performs a series of steps on a list of items you select using the Loop Input field. When configuring steps within a loop, you can only select data from this Loop Input or from other steps in the loop.

In the Loop Input field, be sure to select an array containing the type of input required by the first step of the loop. For example, if the first step in your loop is Manage Access, select an array of access items such as the accessItems object returned by the Get Access step. The array you select can contain no more than 50 items. If an item in this list is larger than 512KB, that item will fail when the loop is executed.

To use this data within the loop's steps, it must be referenced using a JSONPath expression beginning with $.loop.loopInput. You can add attributes to this expression to specify the data from the input the field needs. For example, use $.loop.loopInput.id to select an ID from the array in the Loop Input field.

This operator returns a JSON blob when it completes successfully. The results are divided into objects that successfully completed the steps in the loop and objects that failed.

Open "Loop" JSON Sample

{
    "loopOutput":{
        "failureItems":null,
        "successfulItems":[
            {
                "loopInput":"2c91503771f099950171e65c874d02cd"
            },
            {
                "loopInput":"2c91903771f099950571f65c8ac402fe"
            }
        ]
    }
}
    

Verify Data Type

The Verify Data Type operator allows you to confirm that the data in a field you select is a specific type, or that it exists at all.

Field Required? Description
Value Yes A JSONPath expression to a variable in the step's input to validate against what you select in Data Type.
Data Type Yes The type of data. At runtime, the attribute in the Value field is compared to the type selected here.

This step can validate whether the value in the selected attribute:

  • Exists
  • Is a boolean
  • Is a number
  • Is a string
  • Is a timestamp
  • Is null

Comparison Operators

In each choice step, two values are compared. You'll see the following options for the Compare Strings and Compare Numbers steps:

  • Contains
  • Equals
  • Is Greater Than
  • Is Greater Than or Equal To
  • Is Less Than
  • Is Less Than or Equal To

Note that the Contains operator is only available for Compare Strings steps.

End Steps

Each workflow must have at least one end step. These steps can be added to stop your workflow and categorize its execution as a success or a failure. Each branch of your workflow must finish with an end step.

The Executions tab on a workflow's details reflects whether each execution ended in success or failure.


Success

Add this step to your workflow to stop the workflow and mark its execution as a success.

It doesn't have any unique fields.


Failure

Add this step to your workflow to stop the workflow and mark its execution as a failure. This step is used to signify that the workflow ended with an error, and workflow tests that end in this step are considered failed tests.

Field Required? Description
Failure Name Yes The name of the step, used for linking steps together.
Failure Details No Details or notes to be included in the workflow's execution results to explain its failure.

To learn more about the process of building a workflow, either in the visual builder or using JSON, visit Creating and Managing Workflows.