AD account delete after 90 days of termination

Identity Security Cloud (ISC) ISC Discussion and Questions
1

I have use case to Delete AD account after 90 days of termination I have explored developer community and discussion forum found that this could be achieved only

  1. running script in IQservice
  2. using before provisiong rule

but I have not found exact way / process that could help in this can any one share any resource or link for it.

thank you

2

Hi @amulpuru,

There are a few ways you can achieve this - 1 way is to use a Transform to calculate all your LifecycleStates and include a new one called ‘Delete’. Here is an example of the flow:

  1. Identity is terminated. LifecycleState changes to ‘inactive’ = AD Account is disabled accordingly.
  2. 90 days have passed and the Identity is still inactive. LifecycleState changes to ‘delete’ (Using the Transform) = You then configure the LifecycleState to Enable the AD Account, but within a BeforeProvisioningRule, you change the operation from ‘Enable’ to ‘Delete’ and the connector will handle this out of the box.

Hope this helps.

5 Likes
3

Hi @kyle1 ,

for ( AccountRequest accountRequest : plan.getAccountRequests() ) {

  if ( accountRequest.getOp().equals( ProvisioningPlan.ObjectOperation.Enable ) ) {
    accountRequest.setOp( ProvisioningPlan.ObjectOperation.Delete );
  }
}

is this BeforeProvisioning rule solves my issue

1 Like
4

As Kyle mentioned, you will need to make a lifecycle state for deleted. While you can write your own Before Provisioning Rule, you can use the Services Standard Before Provisioning Rule. Once you install the rule into the tenant, you can add to your AD configuration to change the enable operation from the lifecycle state into a delete. In addition, there are a lot of other things that you can do with the Services Standard rule such as scrambling passwords and removing entitlements.

You can find the readme and the rule in the supporting documents section of the Mock Project.

https://community.sailpoint.com/t5/Working-With-Services-Knowledge/IdentityNow-Mock-Project/ta-p/208216

Alicia

2 Likes
5

Avinash,

While your rule will change the operation from Enable to Delete, it will change the operation for all “Enable” operations. For example, if you have a re-joiner who comes back in 30 days, the account would be deleted. You will need another component in your if statement.

Alicia

3 Likes
6

got it thank you @agutschow

1 Like
7

Hi @agutschow @kyle1

I have updated the if component and I have doubt regarding this

for ( AccountRequest accountRequest : plan.getAccountRequests() ) {

if ( accountRequest.getOp().equals( ProvisioningPlan.ObjectOperation.Enable && plan.getIdentity.getAttribute(“cloudLifecycleState”)==“Delete” ) ) {
accountRequest.setOp( ProvisioningPlan.ObjectOperation.Delete );
}
}

i’m only able to get IdentityAttribute of Identity using plan what if plan consist multiple identities will it work
I have tested in IIQ it is getting only the last identity’s lifecycleState if plan has multiple identities
and also I have tried AccountRequest.getArguements() but i’m getting null value that’s why choose pln.getIdentity.getAttribute() method

Thanks in Advance

avi

8

one plan refers to only one identity

1 Like
9

thanks you have clarified my doubt

10

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.