--- title: Role remove workflow example description: Example workflow for role removal including context checks and auto-deprovisioning capabilities component: pingoneaic page_id: pingoneaic:identity-governance:administration/example-role-remove-workflow canonical_url: https://docs.pingidentity.com/pingoneaic/identity-governance/administration/example-role-remove-workflow.html keywords: ["workflows", "use cases", "examples", "role remove"] section_ids: assumptions: Assumptions example: Example --- # Role remove workflow example In this example, an administrator wants to create a workflow that: * Handles a normal role removal access request. * Includes a context check for administrator-submitted requests. * Skips the approval task process and runs auto-approval and auto-deprovisioning scripts if the context check passes. ## Assumptions * Each role has a role owner. * Notification settings and email templates exist. * Make sure to catch any error/failure conditions. ## Example ![An example of a role removal workflow.](../_images/governance-workflow-example-role-removal.png) * 1 The Script node invokes the APIs and checks the context. If the context is `admin` or `certification`, it skips the manual approval process. > **Collapse: Click to display request context check script** > > ```js > var content = execution.getVariables(); > var requestId = content.get('id'); > var context = null; > var skipApproval = false; > > try { > var requestObj = openidm.action('iga/governance/requests/' + requestId, 'GET', {}, {}); > if (requestObj.request.common.context) { > context = requestObj.request.common.context.type; > if (context === 'admin' || context === 'certification') { > skipApproval = true; > } > } > } > catch (e) {} > > logger.info("Context: " + context); > execution.setVariable("context", context); > execution.setVariable("skipApproval", skipApproval); > ``` * 2 The Approval node assigns an approval task to users and roles. The node chains tasks in conjunction with a Switch node to implement serial or parallel flows. > **Collapse: Click to display the approval task properties** > > | Item | Description | > | --------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | > | Name | `Approval Task` | > | Approvers | Two options are available:- Add users and roles manually, such as `Role Owner` and define `Approver` type > > * Approve > > * Reject > > * Forward > > * Modify > > * Comment > > - Define users using a script: | > | Form | Select a form to present to the reviewer:- Dynamic form selection. This selection is typically used for basic out-of-the-box workflows, like `BasicApplicationGrant` and others. > > - Choose a form. This selection is typically used for custom request type forms. | > | Expiration Settings | Options are:- Reject request > > - Reassign request > > - Do nothing | > | Notification Settings | Options are:- Assignment notification and email templates, such as `requestAssigned`. > > - Reassignment notification and email templates, such as `requestReassigned`. > > - Assignee reminders and email templates, such as `requestReminder`. > > * Sends every number of time periods, such as `3 day(s)`. > > - Escalation notifications and email templates, such as `requestEscalated`. > > * Send every number of day(s), such as `5 day(s)`. > > * Send to `Send escalation to` to `User`, and select `User`. > > - Expiration notification and email templates, such as `requestExpired`. > > * Send the notification on the configured number of days before expiration. | * 3 Invokes the auto-approval script if `scriptApproval` is true. > **Collapse: Click to display auto-approval script** > > ```js > var content = execution.getVariables(); > var requestId = content.get('id'); > var context = content.get('context'); > var queryParams = { > "_action": "update" > } > > try { > var decision = { > "decision": "approved", > "comment": "Request auto-approved due to request context: " + context > } > openidm.action('iga/governance/requests/' + requestId, 'POST', decision, queryParams); > } > catch (e) { > var failureReason = "Failure updating decision on request. Error message: " + e.message; > var update = {'comment': failureReason, 'failure': true}; > openidm.action('iga/governance/requests/' + requestId, 'POST', update, queryParams); > } > ``` * 4 Runs a `RejectRequest` script when `Approval task` node returns a `reject`. > **Collapse: Click to display script** > > ```js > logger.info("Rejecting request"); > > var content = execution.getVariables(); > var requestId = content.get('id'); > > logger.info("Execution Content: " + content); > var requestIndex = openidm.action('iga/governance/requests/' + requestId, 'GET', {}, {}); > var decision = {'outcome': 'denied', 'status': 'complete', 'decision': 'rejected'}; > var queryParams = { '_action': 'update'}; > openidm.action('iga/governance/requests/' + requestId, 'POST', decision, queryParams); > ``` * 5 Run Auto Deprovisioning script. > **Collapse: Click to display the auto deprovisioning script** > > ```js > logger.info("Auto-Deprovisioning"); > > var content = execution.getVariables(); > var requestId = content.get('id'); > var failureReason = null; > > try { > var requestObj = openidm.action('iga/governance/requests/' + requestId, 'GET', {}, {}); > logger.info("requestObj: " + requestObj); > } > catch (e) { > failureReason = "Deprovisioning failed: Error reading request with id " + requestId; > } > > if(!failureReason) { > try { > var request = requestObj.request; > var payload = { > "roleId": request.common.roleId, > "startDate": request.common.startDate, > "endDate": request.common.endDate, > "auditContext": {}, > "grantType": "request" > }; > var queryParams = { > "_action": "remove" > } > > var result = openidm.action('iga/governance/user/' + request.common.userId + '/roles' , 'POST', payload,queryParams); > } > catch (e) { > failureReason = "Deprovisioning failed: Error deprovisioning role to user " + request.common.userId + " for role " + request.common.roleId + ". Error message: " + e.message; > } > > var decision = {'status': 'complete', 'decision': 'approved'}; > if (failureReason) { > decision.outcome = 'not provisioned'; > decision.comment = failureReason; > decision.failure = true; > } > else { > decision.outcome = 'provisioned'; > } > > var queryParams = { '_action': 'update'}; > openidm.action('iga/governance/requests/' + requestId, 'POST', decision, queryParams); > logger.info("Request " + requestId + " completed."); > } > ``` | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Download the JSON file for this workflow [here](../_attachments/workflows/workflowUIRoleRemoveWorkflowExample.json).Learn more about how to import or export workflows in [workflow editor canvas](workflow-configure.html#orch-ui-canvas). |