I’m working on an Identity Security Cloud (ISC) implementation and need help creating a solution for the following requirement:
I need to prevent users from having more than one Active Directory group whose name contains the word “Google”.
If a user requests more than one group with “Google” in the name, only one should be assigned, and the others should be ignored.
In addition, if the user already has a “Google” group assigned, it should be removed, keeping only the latest one requested.
This logic needs to work for both Access Profile and Role requests.
What I’ve tried so far:
I attempted to implement this logic using a Before Provisioning Rule.
However, when the user requests multiple “Google” accesses that belong to different Access Profiles, ISC generates a separate Provisioning Plan for each request.
Because of this, within the Before Provisioning Rule I cannot see all the “Google” groups in a consolidated way within the same plan, making it difficult to enforce the rule of keeping only one group.
Thanks in advance for any insights or examples that could help!
You could potentially handle this by introducing a delimited file source that tracks whether a user already has a “Google” AD group. For example, the source could contain fields like userID and a hasGoogleGroup flag.
Here’s how this might work in practice:
If a user is assigned a single “Google” AD group, a workflow could update the account attribute, which in turn updates an identity attribute in ISC.
That identity attribute can then be leveraged in segmentation policies to prevent “Google” groups from being available for further requests.
I’d also look into adding metadata attributes on the Roles and Access Profiles to indicate exclusivity. That way the same workflow logic could scale to other scenarios where you only want one access type at a time.
On top of that, I’d consider whether you can enforce some kind of preventative measure on the Active Directory side, just in case something slips through.
This is just a rough idea, but it could give you a framework for enforcing the “only one Google group” rule while also leaving room for broader exclusivity use cases.
