Skip to content

BETA - Workflow Steps and Definitions

Important

This document covers Workflows, which is currently in Beta. The information in this document, and the feature it describes, are subject to change without notice.

Review a summary of the terms and conditions for SailPoint's Access Programs.

All workflows are made of several parts:

  • The metadata, where you can define the workflow's name and description.
  • The trigger, which determines the event that causes the workflow to run.
  • The steps, called actions and operators, which define the actions and decisions a workflow makes as it runs.

This document describes the workflow metadata, triggers, actions, and operators available for use in workflows. When applicable, the fields required for each step are included.

Metadata

A workflow's metadata defines basic information about a workflow, such as its name and description.

The metadata about a workflow can be configured either in the UI or using JSON. You can find an example JSON file below, which can be edited to meet your needs.

Open Metadata File JSON Schema

{
  "name": "WORKFLOW NAME",
  "description": "WORKFLOW DESCRIPTION",
  "version": "1.0",
  "definition": {
    "trigger": {},
    "start":"",
    "steps": {}
  }
}
    

Triggers

A trigger is the event that tells the workflow to start. The workflow uses data provided by the input to calculate the results of each action and operator.

Each workflow can have exactly one trigger.

To build an effective workflow, you'll need to understand each trigger and the input it delivers. You can find this data below.

  • Access Request Decision

    An access request was approved or denied.

  • Access Request Dynamic Approver

    Gets a dynamic approver.

  • Access Request Submitted

    A request to add or remove access was submitted.

  • Account Aggregation Completed

    Fires every time an aggregation is completed.

  • Account Attributes Changed

    One or more attributes on an account have changed successfully.

  • Account Correlated

    A new account was correlated to an identity.

  • Account Uncorrelated

    A source account was removed from an identity's list of accounts.

  • Accounts Collected for Aggregation

    An account aggregation completed, was terminated, or failed.

  • Campaign Activated

    A certification campaign was activated.

  • Campaign Ended

    A certification campaign ended.

  • Campaign Generated

    A certification campaign finished generating.

  • Certification Signed Off

    A certification reviewer signed off on their certifications.

  • External Trigger

    An external system made an specific HTTP POST call to IdentityNow.

  • Identity Attributes Changed

    One or more attributes was changed on an identity.

  • Identity Created

    Fires each time a new identity is created.

  • Identity Deleted

    An identity was deleted from IdentityNow. Note that this does not mean that the user no longer has accounts on any sources, only that their accounts do not correlate to an identity.

  • Scheduled Search

    A scheduled search completed and the results are available. The input of this trigger is the result of that search.

  • Provisioning Completed

    A provisioning action completed on a source.

  • Scheduled Search

    A scheduled search completed and results are available.

  • Scheduled Trigger

    A scheduled trigger was initiated based on the configured CRON schedule.

    To use a scheduled trigger, complete the following fields:

    Field Required? Description
    CRON Interval Yes The CRON expression to represent the time between runs.
  • Source Created

    A new source was successfully created.

  • Source Deleted

    A source was successfully deleted.

  • Source Updated

Configuration changes were successfully made to a source.

  • VA Cluster Status Change Event

    A virtual appliance cluster changed status.

Actions

Most actions receive JSON input from the step preceding it and make a change to it or take an action on it. The values you enter in the fields for each action help determine what is done and how.

The value for each field must be provided either in JSONPath format, or typed as a static, fixed value. Select which format you'll be using for each field before entering the value and saving your workflow.

There are several fields that you will see in every action:

  • Name - The name of the action. This must be unique within the workflow you create, so that it can be used in Next steps and conditional logic.
  • Description - This is an optional field to allow you to record details about this action and its importance.
  • Select Input - Use JSONPath to choose the part of the JSON input that you want to act on when this action is executed. To use the entire JSON data stream as input, enter $.
  • Select Result - Use JSONPath to choose the location in the data flow where you want to place the result of the action. To replace the entire JSON in the data flow with the results of a step, enter $ or leave this field empty.

Below, you can find a list of all actions currently available for workflows, as well as the unique fields for each.

  • Activate Certification Campaign

    Field Required? Description
    Campaign ID Yes The ID of the campaign to activate.
  • Approve Access Request

    Field Required? Description
    Approval ID Yes The ID of the access request to approve.
    Comment Yes Provide a comment to leave on the access request's approval.
  • Create Certification Campaign

    Field Required? Description
    Campaign Deadline Yes The duration of the campaign. Use h to specify hours, m to specify minutes, and s to specify seconds. For example, entering 72h will give your campaign a deadline in 3 days. Larger units of time are not supported.
    Campaign Name No The name of the campaign.
    From Field No The email address that will be used as the sender address.
  • Create Request for Access

    Field Required? Description
    Identity List for Access Approval Yes The technical IDs of the identities to request this access for. This must be either JSONPath or a list in JSON format.
    Requested Items Yes The technical IDs of the items to be requested. This must be either JSONPath or a list in JSON format.
  • Deny Access Request

    Field Required? Description
    Approval ID Yes The ID of the access request to deny.
    Comment Yes Provide a comment to leave on the access request's denial.
  • Disable Account

    Field Required? Description
    Account ID Yes The technical ID of the account to disable.
  • Enable Account

    Field Required? Description**
    Account ID Yes The technical ID of the account to enable.
  • Get Access Request Recommendations

    Field Required? Description
    Get Access Request Recommendations Yes The ID of the identity for whom to retrieve access request recommendations.
  • Get Certification Campaign

    Field Required? Description
    Campaign ID Yes The ID of the campaign to get.
  • Get Identity

    Field Required? Description
    Identity ID Yes The technical ID of the identity to get.
  • HTTP Request

    Field Required? Description
    Headers No The headers for this request.
    Method Yes The method, such as GET, POST, or PUT, for this request.
    Path Yes The HTTP URL for this request.
    Body No The body of the request.
    Query Parameters No The query parameters of the request.
  • Request Access Removal

    Field Required? Description
    Identity List for Access Revocation Yes The technical IDs of the identities to request access removal for. This must be either JSONPath or a list in JSON format.
    Requested Items Yes The technical IDs of the items to request their removal. This must be either JSONPath or a list in JSON format.
  • Send Email

    Field Required? Description
    Recipient ID Yes The technical ID of the identity that should receive this email.
    Reply-To Address No The email address to use as the reply-to address.
    From Address No The email address to use as the sender address.
    Subject No The subject line of the email.
    Body No The body of the email.
  • Sleep

    Field Required? Description
    Sleep Duration Yes The length of time to pause the workflow for. Use m to specify minutes and s to specify seconds. Choose a time of 5 minutes or shorter. For example, 5m indicates 5 minutes.
  • Unlock Account

    Field Required? Description
    Account ID Yes The technical ID of the account to unlock.

Operators

Operators allow you to make comparisons between values and, based on the results of that comparison, choose a new path for your workflow to follow.

  • Boolean

    A boolean operator is a type of choice operator.

    Field Required? Description
    Variable A No A JSONPath expression to a TRUE or FALSE value in the step's input, to be compared with Variable B.
    Operator No A valid comparison operator. The only comparison operator available for Boolean steps is BooleanEquals
    Variable B No A static value or a JSONPath expression to another value in the input, to be compared with Variable A.
  • Compare Numbers

    A compare numbers operator is a type of choice operator.

    Field Required? Description
    Variable A No A JSONPath expression to an integer value in the step's input, to be compared with Variable B.
    Operator No The exact value of one of the comparison operators available for numbers.
    Variable B No A static value or a JSONPath expression to another value in the input, to be compared with Variable A.

    The following comparison operators can be used with the Compare Numbers operator step:

    • NumericEquals
    • NumericLessThan
    • NumericGreaterThan
    • NumericLessThanEquals
    • NumericGreaterThanEquals
  • Compare Strings

    A Compare Strings operator is a type of choice operator.

    Field Required? Description
    Variable A No A JSONPath expression to a string value in the step's input, to be compared with Variable B.
    Operator No The exact value of one of the comparison operators available for strings.
    Variable B No A static value, or a JSONPath expression to another value in the input, to be compared with Variable A.

    The following comparison operators are available for the compare strings operator step:

    • StringEquals - Passes if the strings are exactly the same.
    • StringLessThan
    • StringGreaterThan
    • StringLessThanEquals
    • StringGreaterThanEquals
    • StringMatches - Passes if Variable B contains the value of Variable A.
  • Success

This step is used to mark the successful end of a workflow. It doesn't have any unique fields.

  • Failure

    Add this step to your workflow to signify it failed.

    Field Required? Description
    Failure Name Yes The name of the step, used for linking steps together.
    Failure Details No Details or notes about the step.

Comparison Operators

In each choice step, two values are compared. The comparison operator in each of these steps must exactly match one of the following:

Additional comparison operators that aren't specific to any type of choice step are listed below:

- IsBoolean
- IsNull
- IsNumeric
- IsPresent
- IsString
- IsTimestamp

If you choose any of the above comparison operators, you only need to enter a value in the Value 1 field. The result of the comparison will be based on whether the data in Value 1 matches the data type described in the comparison operator.

To learn more about the process of building a workflow, either in the visual builder or using JSON, visit Creating and Managing Workflows.