mgrant
March 6, 2025, 1:32am
1
Hi Team,I hope this message finds you well. I need assistance with updating a few cloud rules, and I’m unsure where to start.
LCS Rule : I need to add an AC_NewParent for when an identity is manually moved to the emailHoldLCS .Admin Accounts : For admin accounts that begin with admin+samaccountname, I would like them to move to the respective OU when a user, with an admin account, transitions into the LOA LCS or terminated LCS .Termination Date : When a user moves to the terminated LCS , I need the termination date added to the accountexpires attribute in Active Directory for the regular account and the admin account if they have one.
I understand that both rules need to reflect these changes, but I’m a bit stuck on where to begin.
Any help is greatly appreciated.
Here’s what I have so far:
BP RUle logic snippets.txt (2.5 KB)
DRAFT updated LCS.txt (3.7 KB)
KRM7
March 6, 2025, 8:54am
2
Hi Marvin,
You don’t need Rules for this, you can make use of Update Provisioning Policy.
Check below posts for more information.
Transform in AD Update Provisioning Policy - Identity Security Cloud (ISC) / ISC Discussion and Questions - SailPoint Developer Community
Hi Experts,
We have a BeforProvisioning rule where we are setting the AC_NewParent AttributeRequest for the disabled user. This works perfectlöy fine when the LCS of the user is updated and the user is moved to the disabled OU ax expected. However, the account is not disabled, although we have the following configuration set on the Identity Profile:
[image]
Any ideas why this is so?
Looking forward to your inputs!
Thanks,
Tamalika
– Krish
1 Like
mgrant
March 10, 2025, 4:14pm
3
Hi Krishna,
Thanks for chiming in - so this update provisioning policy would not affect the current rule - no need to add this to the rule?
KRM7
March 10, 2025, 4:25pm
4
There won’t be any impact on Before Provisioning Rule if you already have it, but need to check what it has currently, if nothing about AC_NewParent in Before Provisioning Rule, you have nothing to worry about that.
mgrant
March 10, 2025, 5:59pm
5
Looks like I am referencing it in my BP Rule
````String nonEmployeeLast4SSN = "";\n String employeeId = "";\n String adMailNickName = "";\n\n\t\n\n\tif (plan != null)\n\t{\n\t \n if(identity != null)\n {\n \n terminatedOu = "OU=Deprovisioned,OU=Users,OU=Managed Objects,OU=SandBox,DC=,DC=";\n employeeOu = "OU=,OU=Users,OU=Managed Objects,OU=SandBox,DC=,DC=";\n Ou = "OU=,OU=,OU=Users,OU=Managed Objects,OU=Sandbox,DC=,DC=";\n consultantOu = "OU=NonEmployees,OU=,OU=Users,OU=Managed Objects,OU=SandBox,DC=,DC=";\n agencyWorkerOu = "OU=NonEmployees,OU=,OU=Users,OU=Managed Objects,OU=SandBox,DC=,DC=";\n\n currentLcs = (String) identity.getAttribute("cloudLifecycleState");\n \n lastFourDigit = identity.getAttribute("lastFourDigit");\n\n employeeType = identity.getAttribute("employeeType");\n\n firstname = identity.getStringAttribute("firstname");\n\t\t\t\t lastname = identity.getStringAttribute("lastname");\n\n calculatedOu = identity.getAttribute("adoulocation");\n \n }\n\n //If plan is not null then get the account request\n List accountRequests = plan.getAccountRequests();\n\n if(accountRequests != null)\n {\n for(AccountRequest accountRequest : accountRequests)\n { \n AccountRequest.Operation op = accountRequest.getOperation();\n log.debug("Nchs AD Provisioning Rule: currentLcs state: "+currentLcs);\n nativeIdentity = accountRequest.getNativeIdentity();\n\n String samaccountname = identity.getStringAttribute("adloginid");\n if(samaccountname == null && accountRequest.getAttributeRequest("sAMAccountName") != null) {\n samaccountname = accountRequest.getAttributeRequest("sAMAccountName").getValue();\n\t\t\t\t } \n\n //store it on the arguments of the account request for connector after rules\n\t\t\t\t if(samaccountname != null && !samaccountname.isEmpty()) {\n\t\t\t\t\taddAttributeToAccountRequestArguments(accountRequest, "samaccountname", samaccountname);\n }\n\n //Request Email\n\t\t\t\t if((AccountRequest.Operation.Create == op || AccountRequest.Operation.Modify == op) && ("".equalsIgnoreCase(currentLcs) || "active".equalsIgnoreCase(currentLcs) || "prehire".equalsIgnoreCase(currentLcs))) {\n\t\t\t\t\tAttributeRequest memberOfReq = accountRequest.getAttributeRequest("memberOf");\n\t\t\t\t\t\n }\n\n if((AccountRequest.Operation.Create == op) && ("".equalsIgnoreCase(currentLcs) || "active".equalsIgnoreCase(currentLcs) || "prehire".equalsIgnoreCase(currentLcs))) {\n\n accountRequest.add(getAttributeRequest("AC_NewParent", calculateActiveOU(accountRequest, employeeType)));\n \n String password = getInitialPassword(firstname, lastname, lastFourDigit);\n \n }\n\n \n\n //MODIFY\n if(op != null && AccountRequest.Operation.Modify.equals(op)){\n AttributeRequest memberOfReq = accountRequest.getAttributeRequest("memberOf");\n \n \n }\n\n //Move OU if any of the following is change: employeeType\n if("active".equalsIgnoreCase(currentLcs) && AccountRequest.Operation.Modify.equals(op)) {\n AttributeRequest employeeTypeReq = accountRequest.getAttributeRequest("employeeType");\n if( employeeTypeReq != null && employeeTypeReq.getValue().toString().equalsIgnoreCase("Employee") )\n {\n log.info(" AD Before Provisioning change OU");\n accountRequest.add(newAttributeRequest("AC_NewParent", calculatedOu)); //moving OU when employeeType changes to Employee\n }\n }\n\n\n if(op != null && AccountRequest.Operation.Enable.equals(op))\n {\n \n log.info(" AD Before Provisioning change OU Rehire");\n accountRequest.add(newAttributeRequest("AC_NewParent", calculatedOu)); //moving OU when rehire \n \n }\n\n // DISABLE\n if(op != null && AccountRequest.Operation.Disable.equals(op))\n {\n \n Object currentGroups = idn.getRawAccountAttribute(accountRequest.getApplicationName(), accountRequest.getNativeIdentity(), "memberOf");\n \n accountRequest.add(newAttributeRequest("AC_NewParent", terminatedOu));\n \n // Set termination date in the description\n Date date = new Date();\n \n SimpleDateFormat descriptionDateFormatter = new SimpleDateFormat("MM/dd/yyyy HH:mm:ss");\n String descriptionDate = descriptionDateFormatter.format(date);\n accountRequest.add(newAttributeRequest("description", "Deprovisioned on " + descriptionDate + " by \\svc_IQService" ));\n \n \n //Scramble the password \n String scrambledPassword = getRandomGeneratedString();\n accountRequest.add(newAttributeRequest("password", scrambledPassword)); \n \n }\n }\n } \t\t\n log.info(" AD Provisioning Rule is complete");\n\t}\n "`
KRM7
March 10, 2025, 9:24pm
6
Please mask the sensitive data when you post in the forum.
I see that there is an identity attribute adoulocation which has the OU calculation, you need to check the Transform used there.
system
May 9, 2025, 9:25pm
7
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.