We have a requirement for a workflow that will be activated when HR reports an identity has left the organization.
This triggers the disable cloud life cycle state. The workflow has a form action for the manager to approve the disabling of the account on AD.
Should the manager approve, 2 things should happen:
AD account should be moved to DeisabledUsers OU
7 days after trigger all entitlements of the accounts should be removed.
I think point no. 2 can be handled by the workflow action of ‘Wait’ and ‘Manage Access’ (although I am not sure Manage Access accepts wildcards).
The issue we are facing is with point no. 1. The documentation (Actions - SailPoint Identity Services) lists an action called ‘move user’. Such an actions does not exist or the API is not open.
Can anyone please how we can utilize the workflow engine to perform the customer request ?
I find it hard to believe we are the first to ask such a thing.
You cannot do AD OU moves directly through ISC workflows.
One option you can consider is to make use of the Manage Accounts action and perform an enable/disable or an unlock. Then make use of a before provisioning rule to update the plan to the required AD OU move.
You can trigger moving users to a disabled OU by setting the AC_NewParent attribute in the provisioning plan. You can trigger this through creating a Disable Provisioning policy as Phil does in the following:
or by using a before provisioning rule as described:
There is a Service Standard Before Provisioning Rule that you can request in your tenant that you only need to configure. You will just need to ask for it to be deployed in your tenant.