Assigning roles based on a complex query

Identity Security Cloud (ISC) ISC Discussion and Questions
,
1

:bangbang: Please be sure you’ve read the docs and API specs before asking for help. Also, please be sure you’ve searched the forum for your answer before you create a new topic.

I need to assign a role to the manager identities that satisfies the below query,

attributes.managerEmployeeNumber: AND !attributes.identificationNumber:NELM* AND attributes.cloudLifecycleState:Active

I am struggling to find the correct approach to implement this. Following are the options that i explored,

  1. Creating an identity attribute and create a cloud rule that will perform search using idn.findIdentitiesBySearchableIdentityAttribute. There is a note that this will return only 50 results. I have managers managing more than 150 people.
  2. I couldn’t think of any solution using transforms, since it searches the account attributes rather identity attribute values.
  3. I thought of doing through workflows, i see a loop limitation of 250 items as an input array.
  4. My last option is to create a poweshell script with the logic and submit an access request.

I would appreciate if any suggestions to achieve this using the SailPoint in-built features.

Requirement is - I need to assign a role to the manager identities, i need to exclude the managers who are managing Contractors only. Only way to identify if the manager is managing Contractors only is to get the list of all reportees and then check each of their employeenumber has ‘NERM’ word in it.

2

Hello @vidya_kompala_au ,

If I understood the requirement correctly, you need to assign a role to identities who has managerEmployeeNumber as “1234“ with “active“ LCS and not NELM users.

Can’t this be achieved using assignment criteria in roles? like below
*replace highlighted attributes with correct ones

image
image1423×555 23.4 KB

3

Thanks for the response @ThejaC
If i am doing through a role assignment criteria, I need to check the employee number of the reportees which i can’t do in ISC.

4

Hello @Vimal_Kumar, Apologies, I may not be able to get the requirement correctly. Can you explain it in wordings?

5

Hello,

I would handle that through Identity Attribute!
If i got it right you need to assign to all managers that was not created via NERM!

{

    "type": "static",

    "attributes": {

        "isManager": {

            "type": "static",

            "attributes": {

                "value": "$identity.getManagerStatus()"

            }

        },

        "NermEmployeeId": {

            "type": "identityAttribute",

            "attributes": {

                "name": "identificationNumber"

            }

        },

        "cloudLifeCycleState": {

            "type": "identityAttribute",

            "attributes": {

                "name": "cloudLifecycleState"

            }

        },

        "value": "#if($isManager=='true' && !$NermEmployeeId.contains('NERM') && $cloudLifeCycleState == 'active')true#end"

    },

    "name": "Test-Check-Manager"

}

This transforms checks if the identity is manager, his employeeNumber and LCS and will return true! In you role criteria you just check this attribute!!

Hope this help!

1 Like
6

@ThejaC @YanCoelho I have added the requirement also in the description now. Thanks for your responses.
Requirement is - I need to assign a role to the manager identities, i need to exclude the managers who are managing Contractors only

7

@kompala Do you know how many managers are there who are managing contractors? If the number is not that big, you can search for them manually, add another criteria in same group criteria, then “hardcode“ those managers using “Does Not Equal“ operation on their employee numbers as @ThejaC provided above. This will create a problem if single manager manages both regulars and contractors. (I cannot come with any more convenient method than this, happy to hear if there’s any other).

8

@markomanium Thanks for the response. Manual approach will lead me to maintain that role also manually.
I am working on a powershell script approach to manage the members of the role.

I don’t see any other better approach other than scripting for my requirement.