diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 048a8b0..b36e450 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -10,3 +10,4 @@ workflows/reassign-object-owners @colin-mckibben-sp workflows/assign-roles-using-forms @iam-sharvari workflows/new-hire-additional-info @iam-sharvari workflows/temporary-admin-access @colin-mckibben-sp +workflows/delayed-deprovisioning-of-birthright-role-on-mover @ruben-elizondo-sp \ No newline at end of file diff --git a/workflows/delayed-deprovisioning-of-birthright-role-on-mover/.gitkeep b/workflows/delayed-deprovisioning-of-birthright-role-on-mover/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/workflows/delayed-deprovisioning-of-birthright-role-on-mover/Form - Delayed Birthright Role DeProvisioning.json b/workflows/delayed-deprovisioning-of-birthright-role-on-mover/Form - Delayed Birthright Role DeProvisioning.json new file mode 100644 index 0000000..c97c1dd --- /dev/null +++ b/workflows/delayed-deprovisioning-of-birthright-role-on-mover/Form - Delayed Birthright Role DeProvisioning.json @@ -0,0 +1,381 @@ +[ + { + "version": 1, + "self": { + "type": "FORM_DEFINITION", + "id": "3fcea1cb-fcfb-4e64-910f-16d365b26e84", + "name": "Delayed Birthright Role Deprovisioning" + }, + "object": { + "id": "3fcea1cb-fcfb-4e64-910f-16d365b26e84", + "name": "Delayed Birthright Role Deprovisioning", + "description": "", + "owner": { + "type": "IDENTITY", + "id": "28d0d82df7514dcf874030ce084a3668", + "name": "" + }, + "usedBy": [], + "formInput": [ + { + "id": "currentTitle", + "type": "STRING", + "label": "Current Title", + "description": "" + }, + { + "id": "idenitityname", + "type": "STRING", + "label": "IdenitityName", + "description": "" + }, + { + "id": "previousTitle", + "type": "STRING", + "label": "Previous Title", + "description": "" + }, + { + "id": "lostRoles", + "type": "ARRAY", + "label": "Lost Roles", + "description": "" + }, + { + "id": "identityId", + "type": "STRING", + "label": "IdentityID", + "description": "" + } + ], + "formElements": [ + { + "id": "1167750864903", + "elementType": "SECTION", + "config": { + "alignment": "LEFT", + "description": "", + "formElements": [ + { + "config": { + "description": "

Your direct report has changed job titles and as a result they have lost access they previously held.

\n

If they need some time to complete their tasks and projects, use this form to temporarily extend their current access. 

\n

Please fill out the fields below.  Any extended access will be automatically removed after the selected time. 

", + "label": "Description Field", + "showLabel": false + }, + "elementType": "DESCRIPTION", + "id": "1371770739071", + "key": "", + "validations": [] + }, + { + "config": { + "default": "", + "description": "", + "helpText": "", + "label": "Identity Name", + "placeholder": "", + "required": false + }, + "elementType": "TEXT", + "id": "801911992153", + "key": "identityName", + "validations": [] + }, + { + "config": { + "default": "", + "description": "", + "helpText": "", + "label": "IdentityID", + "placeholder": "", + "required": false + }, + "elementType": "TEXT", + "id": "1686878986398", + "key": "identityId", + "validations": [] + }, + { + "config": { + "columnCount": 2, + "columns": [ + [ + { + "config": { + "default": "", + "description": "", + "helpText": "", + "label": "Current Job Title", + "placeholder": "", + "required": false + }, + "elementType": "TEXT", + "id": "958707300322", + "key": "currentJobTitle", + "validations": [] + } + ], + [ + { + "config": { + "default": "", + "description": "", + "helpText": "", + "label": "Previous Job Title", + "placeholder": "", + "required": false + }, + "elementType": "TEXT", + "id": "850566345112", + "key": "previousJobTitle", + "validations": [] + } + ] + ], + "description": "", + "label": "Column Set", + "labelStyle": "h5", + "showLabel": false + }, + "elementType": "COLUMN_SET", + "id": "228451340682", + "key": "", + "validations": [] + } + ], + "label": "Staggerd De-provisioning Form", + "labelStyle": "h2", + "showLabel": true + }, + "validations": [] + }, + { + "id": "1577680332106", + "elementType": "SECTION", + "config": { + "alignment": "LEFT", + "description": "Select from this dropdown list of Roles that this user lost from their most recent identity processing (limit 30)\n\nChoose how long to extend their access for.", + "formElements": [ + { + "config": { + "columnCount": 2, + "columns": [ + [ + { + "config": { + "dataSource": { + "config": { + "formInputId": "lostRoles", + "sortBy": "ASC" + }, + "dataSourceType": "FORM_INPUT" + }, + "forceSelect": true, + "helpText": "", + "label": "Removed Roles List", + "maximum": 30, + "placeholder": "", + "required": false + }, + "elementType": "SELECT", + "id": "1569615994781", + "key": "extendRoles", + "validations": [ + { + "validationType": "DATA_SOURCE" + } + ] + } + ], + [ + { + "config": { + "default": "", + "description": "", + "helpText": "", + "label": "Number of Days", + "placeholder": "", + "required": true + }, + "elementType": "TEXT", + "id": "688569054245", + "key": "numberOfDays", + "validations": [ + { + "config": { + "message": "Please enter a valid number.", + "regex": "\\d+" + }, + "validationType": "REGEX" + }, + { + "validationType": "REQUIRED" + } + ] + } + ] + ], + "description": "", + "label": "heading 5", + "labelStyle": "h5", + "showLabel": false + }, + "elementType": "COLUMN_SET", + "id": "1418085224388", + "key": "", + "validations": [] + }, + { + "config": { + "description": "

To process the Identity without role extension, submit this form without any input.

", + "label": "Description Field", + "showLabel": false + }, + "elementType": "DESCRIPTION", + "id": "782695504085", + "key": "", + "validations": [] + } + ], + "label": "Role Extension Management", + "labelStyle": "h5", + "showLabel": true + }, + "validations": [] + } + ], + "formConditions": [ + { + "ruleOperator": "AND", + "rules": [ + { + "sourceType": "INPUT", + "source": "Current Title", + "operator": "NOT_EM", + "valueType": "STRING", + "value": "" + } + ], + "effects": [ + { + "effectType": "SET_DEFAULT_VALUE", + "config": { + "defaultValueLabel": "Current Title", + "element": "958707300322" + } + }, + { + "effectType": "DISABLE", + "config": { + "element": "958707300322" + } + } + ] + }, + { + "ruleOperator": "AND", + "rules": [ + { + "sourceType": "INPUT", + "source": "Previous Title", + "operator": "NOT_EM", + "valueType": "STRING", + "value": "" + } + ], + "effects": [ + { + "effectType": "SET_DEFAULT_VALUE", + "config": { + "defaultValueLabel": "Previous Title", + "element": "850566345112" + } + }, + { + "effectType": "DISABLE", + "config": { + "element": "850566345112" + } + } + ] + }, + { + "ruleOperator": "AND", + "rules": [ + { + "sourceType": "INPUT", + "source": "IdenitityName", + "operator": "NOT_EM", + "valueType": "STRING", + "value": "" + } + ], + "effects": [ + { + "effectType": "SET_DEFAULT_VALUE", + "config": { + "defaultValueLabel": "IdenitityName", + "element": "801911992153" + } + }, + { + "effectType": "DISABLE", + "config": { + "element": "801911992153" + } + } + ] + }, + { + "ruleOperator": "AND", + "rules": [ + { + "sourceType": "ELEMENT", + "source": "extendRoles", + "operator": "NOT_EM", + "valueType": "STRING_LIST", + "value": [] + } + ], + "effects": [ + { + "effectType": "SHOW", + "config": { + "element": "688569054245" + } + } + ] + }, + { + "ruleOperator": "AND", + "rules": [ + { + "sourceType": "INPUT", + "source": "identityId", + "operator": "NOT_EM", + "valueType": "STRING", + "value": "" + } + ], + "effects": [ + { + "effectType": "SET_DEFAULT_VALUE", + "config": { + "defaultValueLabel": "identityId", + "element": "1686878986398" + } + }, + { + "effectType": "DISABLE", + "config": { + "element": "1686878986398" + } + } + ] + } + ], + "created": "2024-01-18T21:58:02.006242119Z", + "modified": "2024-04-15T17:42:26.729650854Z" + } + } +] \ No newline at end of file diff --git a/workflows/delayed-deprovisioning-of-birthright-role-on-mover/README.md b/workflows/delayed-deprovisioning-of-birthright-role-on-mover/README.md new file mode 100644 index 0000000..83dd11d --- /dev/null +++ b/workflows/delayed-deprovisioning-of-birthright-role-on-mover/README.md @@ -0,0 +1,48 @@ +**Configuration** + +Form +VS Code: + +1. Navigate to the project directory, right-click on the 'forms' section, and select "import". +2. Choose the file you downloaded from this page, "Form - Delayed Birthright Role DeProvisioning.json". + +Log in to the Environment and Update the Owner + +Workflow +1. Open the file "Workflow - Delayed Birthright Role DeProvisioining on Transfer.json" and replace the tokens in the file. + +URLs + +- %%API_URL%% (e.g. https://company1983-poc.api.identitynow-demo.com) + +Oauth Client Tokens + +- %%OAUTH_CLIENT_ID%% + +Admin Email (for emailing on failed provisioning events) + +- %%ADMIN_EMAIL%% + +Import + +UI Option: Workflows > New Workflow > Upload File + +VS Code option: In project directory, right click Workflows section and choose "import" and choose the file you just updated. + +Update Client Secret + +UI Option: Open Workflow > Edit in Builder > update client secret in the following steps: + +1. Get Identity History Snapshots +2. Get Removed Roles +3. Make Role Requestable +4. Make Role Unrequestable + +VS Code Option + +Locate and replace “oAuthClientSecret” key occurrences (total of four times), inserting your client secret value accordingly. Note that this secret will not encrypt until you make modifications via UI & save. + +Additional Details + +- For more than one role, an access request would be created for each role. +- Typically, birthright roles are configured as non-requestable. This workflow loops through each role designated for an extension and modifies the role status to requestable. This temporarily allows for role assignment with an expiration date before immediately reverting the role back to being non-requestable, therefore securing system integrity. diff --git a/workflows/delayed-deprovisioning-of-birthright-role-on-mover/Workflow-Delayed Birthright Role DeProvisioning on Transfer.json b/workflows/delayed-deprovisioning-of-birthright-role-on-mover/Workflow-Delayed Birthright Role DeProvisioning on Transfer.json new file mode 100644 index 0000000..7e173df --- /dev/null +++ b/workflows/delayed-deprovisioning-of-birthright-role-on-mover/Workflow-Delayed Birthright Role DeProvisioning on Transfer.json @@ -0,0 +1,289 @@ +{ + "id": "aa11bff0-a1fa-4a65-a48d-5cd061898945", + "name": "Delayed Birthright Role DeProvisioning on Transfer ", + "description": "", + "definition": { + "start": "Get Identity History Snapshots", + "steps": { + "Any Removed Roles?": { + "choiceList": [ + { + "comparator": "IsPresent", + "nextStep": "Get Identity", + "variableA.$": "$.getRemovedRoles.body[0].id" + } + ], + "defaultStep": "End Step - No Extenstions Success", + "type": "choice" + }, + "End Step - No Extenstions Success": { + "displayName": "", + "type": "success" + }, + "End Step - Success": { + "displayName": "", + "type": "success" + }, + "Extended Roles?": { + "choiceList": [ + { + "comparator": "IsPresent", + "nextStep": "Get Access", + "variableA.$": "$.form.formData.numberOfDays" + } + ], + "defaultStep": "End Step - No Extenstions Success", + "type": "choice" + }, + "Form": { + "actionId": "sp:forms", + "attributes": { + "deadline": "2d", + "formDefinitionId": "3fcea1cb-fcfb-4e64-910f-16d365b26e84", + "inputForForm_array_lostRoles.$": "$.getRemovedRoles.body", + "inputForForm_array_lostRoles_label": "$.displayName", + "inputForForm_array_lostRoles_value": "$.id", + "inputForForm_currentTitle.$": "$.trigger.changes[?(@.attribute==\"jobTitle\")].newValue", + "inputForForm_idenitityname.$": "$.trigger.identity.name", + "inputForForm_identityId.$": "$.getIdentity.id", + "inputForForm_previousTitle.$": "$.trigger.changes[?(@.attribute==\"jobTitle\")].oldValue", + "notificationBody": "

{{$.getIdentity.managerRef.name}},

\n\n

Your direct report, {{$.getIdentity.name}} has had a job title or department change.

\n\n

Old Value(s):
{{$.trigger.changes[?(@.attribute == \"jobTitle\" || @.attribute == \"department\")].oldValue}}

\n\n

New Value(s):
{{$.trigger.changes[?(@.attribute == \"jobTitle\" || @.attribute == \"department\")].newValue}}

\n\nPlease use the form linked below to optionally extend their previous role access.", + "notificationSubject": "Job Change Staggered De-provisioning Option", + "recipient.$": "$.getIdentity.managerRef.id", + "reminder": "1d" + }, + "nextStep": "Extended Roles?", + "type": "action", + "versionNumber": 1 + }, + "Get Access": { + "actionId": "sp:access:get", + "attributes": { + "accessprofiles": false, + "entitlements": false, + "getAccessBy": "searchQuery", + "query": "id: (\"{{$.form.formData.extendRoles[0]}}\", \"{{$.form.formData.extendRoles[1]}}\", \"{{$.form.formData.extendRoles[2]}}\", \"{{$.form.formData.extendRoles[3]}}\", \"{{$.form.formData.extendRoles[4]}}\", \"{{$.form.formData.extendRoles[5]}}\",\"{{$.form.formData.extendRoles[6]}}\",\"{{$.form.formData.extendRoles[7]}}\",\"{{$.form.formData.extendRoles[8]}}\",\"{{$.form.formData.extendRoles[9]}}\")", + "roles": true + }, + "displayName": "", + "nextStep": "Send Email 1", + "type": "action", + "versionNumber": 1 + }, + "Get Identity": { + "actionId": "sp:get-identity", + "attributes": { + "id.$": "$.trigger.identity.id" + }, + "nextStep": "Form", + "type": "action", + "versionNumber": 2 + }, + "Get Identity History Snapshots": { + "actionId": "sp:http", + "attributes": { + "authenticationType": "OAuth", + "method": "get", + "oAuthClientId": "%%OAUTH_CLIENT_ID%%", + "oAuthClientSecret": null, + "oAuthCredentialLocation": "oAuthInHeader", + "oAuthTokenUrl": "%%API_URL%%/oauth/token", + "url": "%%API_URL%%/beta/historical-identities/{{$.trigger.identity.id}}/snapshots", + "urlParams": { + "limit": "2" + } + }, + "nextStep": "Get Removed Roles", + "type": "action", + "versionNumber": 2 + }, + "Get Removed Roles": { + "actionId": "sp:http", + "attributes": { + "authenticationType": "OAuth", + "method": "get", + "oAuthClientId": "%%OAUTH_CLIENT_ID%%", + "oAuthClientSecret": null, + "oAuthCredentialLocation": "oAuthInHeader", + "oAuthTokenUrl": "%%API_URL%%/oauth/token", + "url": "%%API_URL%%/beta/historical-identities/{{$.trigger.identity.id}}/compare/role?access-associated=false&snapshot1={{$.getIdentityHistorySnapshots.body[1].snapshot}}&snapshot2={{$.getIdentityHistorySnapshots.body[0].snapshot}}", + "urlParams": null + }, + "nextStep": "Any Removed Roles?", + "type": "action", + "versionNumber": 2 + }, + "Loop": { + "actionId": "sp:loop:iterator", + "attributes": { + "context.$": "$.form.formData", + "input.$": "$.getAccess.accessItems", + "start": "Make Role Requestable", + "steps": { + "Define Days Variable": { + "attributes": { + "id": "sp:define-variable", + "variables": [ + { + "description": "", + "name": "Number of Days", + "transforms": [ + { + "id": "sp:transform:concatenate:string", + "input": { + "variableB": "d" + } + } + ], + "variableA.$": "$.loop.context.numberOfDays" + } + ] + }, + "nextStep": "Get Access to Extend", + "type": "Mutation" + }, + "End Step — Loop Success": { + "description": "No Failed Access Requests Present in the response.", + "type": "success" + }, + "Extend Access": { + "actionId": "sp:access:manage", + "attributes": { + "addIdentities.$": "$.loop.context.identityId", + "comments": "Access To Old Role Is being Extended for {{$.loop.context.numberOfDays}} Days", + "removeDuration.$": "$.defineDaysVariable.numberOfDays", + "removeIdentity.$": "$.trigger.identity.id", + "requestType": "GRANT_ACCESS", + "requestedItems.$": "$.getAccessToExtend.accessItems[*]" + }, + "displayName": "", + "nextStep": "Make Role Unrequestable", + "type": "action", + "versionNumber": 1 + }, + "Get Access to Extend": { + "actionId": "sp:access:get", + "attributes": { + "accessprofiles": false, + "entitlements": false, + "getAccessBy": "searchQuery", + "query": "id: {{$.loop.loopInput.id}}", + "roles": true + }, + "nextStep": "Extend Access", + "type": "action", + "versionNumber": 1 + }, + "Make Role Requestable": { + "actionId": "sp:http", + "attributes": { + "authenticationType": "OAuth", + "jsonPatchRequestBody": [ + { + "op": "replace", + "path": "/requestable", + "value": true + } + ], + "method": "patch", + "oAuthClientId": "%%OAUTH_CLIENT_ID%%", + "oAuthClientSecret": null, + "oAuthCredentialLocation": "oAuthInHeader", + "oAuthTokenUrl": "%%API_URL%%/oauth/token", + "requestContentType": "json-patch+json", + "url": "%%API_URL%%/beta/roles/{{$.loop.loopInput.id}}", + "urlParams": null + }, + "displayName": "", + "nextStep": "Define Days Variable", + "type": "action", + "versionNumber": 2 + }, + "Make Role Unrequestable": { + "actionId": "sp:http", + "attributes": { + "authenticationType": "OAuth", + "jsonPatchRequestBody": [ + { + "op": "replace", + "path": "/requestable", + "value": false + } + ], + "method": "patch", + "oAuthClientId": "%%OAUTH_CLIENT_ID%%", + "oAuthClientSecret": null, + "oAuthCredentialLocation": "oAuthInHeader", + "oAuthTokenUrl": "%%API_URL%%/oauth/token", + "requestContentType": "json-patch+json", + "url": "%%API_URL%%/beta/roles/{{$.loop.loopInput.id}}", + "urlParams": null + }, + "displayName": "", + "nextStep": "Verify Data Type", + "type": "action", + "versionNumber": 2 + }, + "Send Email": { + "actionId": "sp:send-email", + "attributes": { + "body": "$.extendAccess.failedAccessRequests", + "context": {}, + "recipientEmailList": [ + "%%ADMIN_EMAIL%%" + ], + "subject": "Failed Role Extension" + }, + "displayName": "", + "nextStep": "End Step — Loop Success", + "type": "action", + "versionNumber": 2 + }, + "Verify Data Type": { + "choiceList": [ + { + "comparator": "IsPresent", + "nextStep": "Send Email", + "variableA.$": "$.extendAccess.failedAccessRequests" + } + ], + "defaultStep": "End Step — Loop Success", + "description": null, + "type": "choice" + } + } + }, + "description": null, + "displayName": "", + "nextStep": "End Step - Success", + "type": "action", + "versionNumber": 1 + }, + "Send Email 1": { + "actionId": "sp:send-email", + "attributes": { + "body": "

Hello {{$.getIdentity.attributes.firstname}},

\n\n

Your manager, {{$.getIdentity.managerRef.name}}, has approved an extension of the access roles listed below for a period of {{$.form.formData.numberOfDays}} days, to allow you to complete any lingering deliverables.

The following roles have been extended:

{{$.getAccess.accessItems[*].name}}.

", + "context": {}, + "from": "IdentitySecurityCloudAdministration@sailpoint.com", + "recipientEmailList.$": "$.getIdentity.emailAddress", + "replyTo.$": "", + "subject": "Extended Role(s) have been approved." + }, + "displayName": "", + "nextStep": "Loop", + "type": "action", + "versionNumber": 2 + } + } + }, + "enabled": true, + "executionCount": 6, + "failureCount": 1, + "trigger": { + "type": "EVENT", + "attributes": { + "filter.$": "$.changes[?(@.attribute == \"jobTitle\" || @.attribute == \"department\")]", + "id": "idn:identity-attributes-changed" + } + } +} \ No newline at end of file