Active Directory OU Change AC_NewParent Business and IT Roles Issues

I am having a strange issue with IdentityIQ and deprovisioning.

I am using an API call to launch a workflow where I am running a series of steps. In those steps, I have a plan based on information received from the API call to disable and move the Active Directory account OU’s to a disabled OU. When this happens, I set the Inactive Attribute to true. The Active Directory account moves as expected and is also disabled. The problem though is that my business roles get unassigned (even though the provisioning target says to retain them). That leaves the identity with the IT roles still on the entitlements tab and the corresponding direct entitlements (AD Security groups) still on the account and identity. The business roles have the IT roles as required so I would expect if the identity loses the business roles, the IT roles would be deprovisioned.

I ran another test where I use the same workflow to disable the user, but this time I don’t move the user and just ensure the inactive attribute is true. Again the workflow disables the AD account, but this time, the business roles STAY. I was originally thinking that there was a process that is running during the workflow that reevaluates the assignment rule (inside of it, it returns false if the identity is inactive). That isn’t the case though because the business roles get dropped when the user moves, but stay when the user just get disabled and not moved.

I have even tried running the Refresh Identity in my workflow BEFORE the provisioning to Active Directory, but it doesn’t seem to be trigger (maybe another problem).

Has anyone seen this before? It is very confusing.

Hi @barnyak10

In your workflow, are you first removing roles before moving accounts to disabled OU ? If not, try to remove roles first and then move accounts to disabled OU.

When moving a user to a different OU the DN of the user object will change. I would dare to guess that what you are seeing has something to do with that.

Looking at one of my environments I see the DN being used in the roleAssignments in the Identity object for roles with AD entitlements.

Not enough information to get much deeper into it, but just an idea that hopefully can point in the right direction

Hi @robbe_deneef

Can you provide more details about how business roles is assigned in the identity? Is a birthright roles assigned through match criteria, or it was assigned manually via access request?

In the first case, if business roles was assigned via match criteria, you will need launch refresh task with options Refresh assigned, detected roles, and promote additional entitlements and Provision assignments to reevaluate the roles in the identity

In the second case, if business role was assigned manually, you will need remove this entitlement manually. In this case if you are using a workflow you can include following code to remove these roles via rule:

import sailpoint.object.ProvisioningPlan.AccountRequest;
import sailpoint.object.ProvisioningPlan;
import sailpoint.object.ProvisioningPlan.AttributeRequest;
import sailpoint.object.Bundle;
import sailpoint.api.Provisioner;

Bundle bundle = context.getObjectByName(Bundle.class, brName);
AccountRequest acctReq = new AccountRequest();

if (bundle != null && (!(brName.equals("")))){
	if (bundle instanceof Bundle) {
		acctReq = new AccountRequest();
		acctReq.setApplication(ProvisioningPlan.APP_IIQ);
		acctReq.setNativeIdentity(identityName);
		acctReq.setOperation(ProvisioningPlan.AccountRequest.Operation.Modify);
		
		if(null != bundle){	        
			AttributeRequest attrReq = new AttributeRequest();
			attrReq.setName(ProvisioningPlan.ATT_IIQ_ASSIGNED_ROLES);
			attrReq.setOperation(ProvisioningPlan.Operation.Remove);
			attrReq.setValue(brName);
			acctReq.add(attrReq);
        }
	}
}

if(bundle!=null) {
	context.decache(bundle);
}

provisioningPlan.add(acctReq);
Provisioner provisioner = new Provisioner(context);
provisioner.execute(plan);

@barnyak10 ,
I am also curious what the assignment rule is.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.