AD Birthright group

Identity Security Cloud (ISC) ISC Discussion and Questions
1

Hello Everyone.. Can someone please assist.

We are creating AD account before the start date of the user. And on the start date, we want to assign several birthright AD group to the user. What should I use in my assignment criteria?

Start date equals to current date?

Also, I need to add something like start date is equal to or less than current date

2

Hi @TJ1331 Are you not setting any lifecycle state for the identity created ?

We can assign birthright access based on the lifecycle state of the user. (pre-hire) in your case.

You can create a lifeCycleState transform to set the status for the user. Below is a sample to compare current date and hire date

        "pastHireDate": {
            "type": "dateCompare",
            "attributes": {
                "negativeCondition": "false",
                "positiveCondition": "true",
                "operator": "GTE",
                "firstDate": "now",
                "secondDate": {
                    "attributes": {
                        "input": {
                            "attributes": {
                                "values": [
                                    {
                                        "attributes": {
                                            "attributeName": "HIREDATE",
                                            "sourceName": "Workday"
                                        },
                                        "type": "accountAttribute"
                                    },
                            
                                    {
                                        "attributes": {
                                            "value": "01/01/2099"
                                        },
                                        "type": "static"
                                    }
                                ]
                            },
                            "type": "firstValid"
                        },
                        "inputFormat": "MM/dd/yyyy",
                        "outputFormat": "ISO8601"
                    },
                    "type": "dateFormat"
                }
            }
        }
2 Likes
3

Yes, we will be setting lifecycle state. But, I want to create AD account as well before the start date, so how should that be executed?

I was thinking to user “Enable account” in Identity profiles. Is it for existing account enablement or new hire creation too?

4

@TJ1331 “Enable account” in identity profile is normally used to enable the account which was already provisioned

for your usecase

  1. Create a LCS called prehire based on your condition using a transform
  2. configure create provisioning policy in AD.
  3. Onboard user in the HR System
  4. Based on the create profile configuration in AD the account gets created and you can use UserAccountControl to set the account as disabled (514) and later when the user joins you can make the LCS state as active and set the enable Account
1 Like
5

@TJ1331 This is a common use case, you can follow the below steps.

  1. Build Lifecyclestate: Calculate the Life Cycle State as “prehire” to provisioning your account before the actual start date and “active“ to assign other AD groups on actual start date. You can refer the base transform in this post Building Life Cycle States using Transforms - Identity Security Cloud (ISC) / ISC Community Knowledge Base - SailPoint Developer Community and build on top of it.
  2. Configure the LCS in Identity Profile, refer Setting Up Lifecycle States - SailPoint Identity Services
  3. Provisioning Policy: Build a CREATE provisioning policy in your AD source with minimal required attributes by following Provisioning Policy.
  4. Role Definition for Prehire: Create a role to initiate the AD account provisioning when LCS is prehire. This role can be either requestable or birthright based on your requirement with LCS = prehire as one of role criteria and a dummy AD group can be attached to the role.
  5. Role Definition for active: Create another role and add LCS as part of role criteria along with other criteria to make it as birth right role and attach all the required accesses (AD groups) to the Role to provisioning.

Hope this helps.

2 Likes