AD Account disable issue using ISC Sample PRovisioning Rule

Identity Security Cloud (ISC) ISC Discussion and Questions
, ,
1

:bangbang: Please be sure you’ve read the docs and API specs before asking for help. Also, please be sure you’ve searched the forum for your answer before you create a new topic.

Please consider addressing the following when creating your topic:

  • What have you tried?
  • What errors did you face (share screenshots)?
  • Share the details of your efforts (code / search query, workflow json etc.)?
  • What is the result you are getting and what were you expecting?

Hi,

Using “ISC Sample BeforeProvisioning Rule” I am trying to configure disable OU when AD account operation is disable. When I give hard coded value provisioning action works but when I try giving the identity attribute reference its not working.

{

                "eventActions": \[

                    {

                        "Action": "UpdateAttribute",

                        "Attribute": "description",

                        "Value": "Disabled by SailPoint on #{now.MM/dd/yyyy}"

                    },

                    {

                        "Action": "ADMoveAccount",

                        "Attribute": "AC_NewParent",

                        "Value": “#{identity.disabledou}”

                    },

                    {

                        "Action": "ScramblePassword",

                        "Attribute": "password",

                        "Value": null

                    }

                \],

                "Operation": "Disable"

            }

I have made Identity attribute as searchable also, am I missing any step?

Thank you!

Sailaja

1 Like
2

Hi Sailaja,

A likely reason is that the identity attribute is not updated at the time that the disable request is coming through before the identity attribute has finished updating.

Can you pull the logs out of IQService to validate if the move request is properly being sent from ISC to IQService?

3

Hi @prathisailaja

The logic looks correct. The only thing that could be off is the identity attribute reference. That reference field is case-sensitive so be sure it matches the technical id in the identity profile.

My only other guess would be like @margocbain mentioned already is that the field is not yet calculated yet. In the accountRequests for the disable operation, you should see the value it passed. If nothing is showing, then it’s likely null and not being picked up.

1 Like