AD Account Create

Identity Security Cloud (ISC) ISC Discussion and Questions
,
1

Hi all,

Really simple question that I can’t find a definitive answer for:
During the AD account create process, can you add entitlements?

I’m currently using an afterCreate connector rule, but the IQ service is struggling with the number of PS instances that get spun up
Thanks

2

Hi @phil_awlings,

ISC default behavior is to create account only via access assignment i.e. you account is created only if your access is being provisioned.

Let me know if there is something specific you are looking that I am missing.

Thanks

2 Likes
3

Hi @phil_awlings ,
ISC will create account whenever there is access req or auto role assignment.You can use

  1. Access request for Access profiles/Roles(with multiple entitlements).
  2. Based on LCS you can also add access profiles on identity profile config section to add entitlements on AD.

image
image1531×293 10.3 KB

4

Hi,
The question is whether ISC can add entitlements during the create process.
I need to add entitlements to an account based upon variables which are identity attributes.
I can’t use Roles/profiles as there are over 12,000 different variations and you can’t use variables in Roles.
I am using the afterCreate rule to spin up a PS script to assign the groups based upon extension attributes.
This works fine for low volumes, but fails when the number hits 20+ instances of Powershell. I’m expecting 150+ account creates to be happening at any one moment.
The issue is with the scaling. I can increase the specs of the computer (but there is an ongoing cost to that.
If I can use the account Create process to add entitlements at the same time, I bypass the problem.

Is that any clearer, I want to add entitlements to a user, whose naming conventions is based upon identity attributes during the CREATE account process

NB. I’m still going to have a problem with afterModify spinning up too many instances of Powershell, but that is a different problem

5

Many thanks to @gourab for pointing me in the correct direction:
For future people, you can add entitlements during the create process using identity attributes and transforms as variables:

        {
            "name": "memberOf",
            "transform": {
                "type": "static",
                "attributes": {
                    "value": "CN=$value $name,OU=Groups,OU=$value,OU=$type,OU=abc,DC=def,DC=com",
                    "value": {
                        "type": "identityAttribute",
                        "attributes": {
                            "name": "name"
                        }
                    },
                    "name": {
                        "type": "identityAttribute",
                        "attributes": {
                            "name": "name1"
                        }
                    },
                    "type": {
                        "type": "reference",
                        "attributes": {
                            "id": "type"
                        }
                    }
                }
            },
            "attributes": {},
            "isRequired": false,
            "type": "string",
            "isMultiValued": true
        }

Just add the above to the CREATE file

2 Likes
6

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.