AfterModify based on entitlement change?

Identity Security Cloud (ISC) ISC Discussion and Questions
,
1

Hello all -

I’m looking for information on how to use a PS AfterModify rule for an AD connector based on an entitlement addition. I’ve found how to pull an attribute change from a request within the rule, but I haven’t seen a way to see entitlement changes.

My use case is I need to call a PowerShell script on our IQService server when a user is added to a specific AD group. How can I accomplish this?

1 Like
2

Hi Bob,

You can use Get-AttributeValueFromAccountRequest function in the after script template which will help you to get the attribute value from account request.

Regards,
Arun

2 Likes
3

So in this case, do I have to rely on memberof and search if it changed? Or can I just use the entitlement id/name as the value of the “attribute”?

1 Like
4

You can rely on value of the attribute. Please refer the below function.

function Get-AttributeValueFromAccountRequest([sailpoint.Utils.objects.AccountRequest] $request, [String] $targetAttribute) {
$value = $null;

if ($request) {
	foreach ($attrib in $request.AttributeRequests) {
		if ($attrib.Name -eq $targetAttribute) {
			$value = $attrib.Value;
			break;
		}
	}
}

else {
LogToFile(“Account request object was null”);
}
return $value;
}

2 Likes
5

Hi @HeyItsBob20

Welcome to SailPoint Developer Community.

You need to create Connector After Modify Rule and Attach to the AD Source, check this doc for more info.

This Rule will invoke a PowerShell Script in your IQ Service. Basically this Rule gets executed whenever AD account gets modified, whether it is entitlement or any attribute. You can check the Account Request to extract all the attributes including entitlements that were part of provisioning.

Thanks
Krish

1 Like
6

HI @HeyItsBob20,

You can add below code in AfterModify rule to run powershell script only for specific entitlement.

if ($requestAsString.contains('value="<Entitlement_Name>"') -and $requestAsString.contains('op="Add"') -and $requestObject.IsModify()) {
        
    #Call the client script

    $command = -join ($command, " -requestString '$requestAsString'")
    Invoke-Expression $command
	
	}

Thanks.

1 Like
7

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.