Hi,
I have a requirement that whenever any user raise an access request for any access profile coming from a webservice source, an AD group / access profile should be assigned to the user first and then the webservice access profile should be assigned once provisioning is successfully completed for AD group.
Is it a standard case and what are common ways to achieve it in sailpoint ISC/IdentityNow?
That would be difficult to achieve with the way SailPoint tends to execute provisioning activities in parallel.
If order didn’t matter, you could create a role that assigns the AD group based on the identity having an account with a specific attribute value in any of those sources.
With this, the AD group might be provisioned prior to the account creation in the web services source, but it might not.
Does the AD group just need to be provisioned before the user can log in? Order of operations may matter less in that circumstance
Not sure these are the best, but here is what I can think of:
First option:
Second:
Inside BeforeOperations rule, create a while loop inside which
Check if user has required AD groups
If yes, exit the while loop
If not,
Submit an Access Request for the AD Group
Approve if required
Sleep for some time
Can you explain the business need , why AD group is required 1st before creation of account? Are these SSO group?
@iamnithesh : your second approach is interesting. can you please point towards any doc’ on how to create access request from beforeOp.
if few seconds does not matter and avoid any custom code or workflow. I would go with @mcheek’s suggestion or expand on it by having something like a birthright role to provision AD ent’ based on webservice account/entitlement assigned to user.
If you want to explore workflow and avoid a new role, have a workflow with trigger Access req Decision and based on the decision, raise a request for AD Group. This almost close to @iamnithesh first option.
Unless there is a mechanism within the target system which would reject or fails the account creation or add ent’ based on users AD group assignment, the above should work. So if you think AD group should absolutely be assigned before WebService source assignment, then pick either of the approaches above and just add wait time before appropriate operation on the webservices beforeOp rule.
As BeforeOperation is a connector rule, you can send an API request from within the rule
Hey,
Thanks all for your inputs, I will check them.
The ask is AD group to be assigned first which is SSO. once this is assigned and provisioned then only access request should start executing for the webservice profiles which are part of an application Sailpoint ISC.
Kind regards,
Aayush
Hi @AsGoyal,
If I were you, I would try @iamnithesh’s first approach using Access Request trigger and submit an access request for the AD group / access item if not assigned to the requestee. This approach gives you the most control.
If you are requesting the SSO AD group earlier, you might want to think about what should happen if the request for the Web Services access item was rejected.
Thanks,
Amar