Background:
Access requests to AD groups is currently enabled and working.
I have been advised new AD groups have been created and should be requestable through IIQ but these AD groups cannot allow any more than 100 users in them.
Currently the groups are checked in AD manually:
if they have <100 users, the user is added manually.
if they have =100 users, the user is added to another AD group with the 100 user limit
this continues
My Question:
Is it possible through a rule or provisioning policy or workflow condition, to set a capacity limit to an AD group and fail or reject the request if the limit is reached?
Workflow Thoughts:
user requests group access
request is approved or rejected by manager
*provisioning policy/ workflow step/ custom rule checks AD group
if <100 members = continue to provisioning step, if >99 members = reject/fail the request and notify user
it would be great to make an entitlement automatically unrequestable once the AD group gets to the member limit but I can’t picture how that could be done
Looking for preventative over reactive solutions please.
You can schedule a task to run periodically—e.g., every two hours—to retrieve the member count for each group in Active Directory application. This data will be based on the data stored in IIQ not in AD. Use a database query to locate each group and then store that count as an extended attribute on the entitlement. Within the same rule, if any group reaches 99 members, mark it as non-requestable.
Note: In some cases, the actual member count in Active Directory could exceed 99, but due to the aggregation schedule not yet updating SailPoint IIQ, the member count in IIQ may be out of date and lead to an inaccurate match.
Consequently, on the request side, any group with 99 members will automatically be unrequestable, effectively resolving your issue.
From a user experience perspective, it’s more proactive to mark these groups as non-requestable rather than terminating the request after submission, especially if your goal is a preventative measure. This approach also helps reduce the number of terminated requests. However, it can be frustrating for end users who might not understand why they can’t find or request certain groups, as they won’t be aware of the membership limit.
If you want to make an entitlement unrequestable, you can implement the logic within the Group Aggregation Refresh Rule. By running the AD group aggregation task daily, the entitlement will automatically become unrequestable once the member count reaches a certain limit. Please refer to the Group Refresh Rule for reference.
QueryOptions options = new QueryOptions();
options.add(Filter.and(Filter.eq("IdentityEntitlement.application",groupApplication),Filter.eq("IdentityEntitlement.value",accountGroup.getValue()));
int count=0;
Iterator it = context.search(IdentityEntitlement.class,options);
while(it.hasNext())
{
it.next();
count++;
}
if(count>100){
accountGroup.setRequestable(false);
}
return accountGroup;
