I have a slightly unusual requirement and would appreciate some guidance.
We use Workday as the authoritative source for employees and Active Directory for contractors. I’m working with our compliance team, and they require a daily report of identities, which I’m currently generating using Search.
Additionally, for terminated users, they want to include the last login date. I’m pulling the lastLogon information from AD and manually adding it to my reporting table. This is needed to perform revoke-look back analysis faster.
The requirement now is to automate this entire process — generating the daily identity report and enriching it with last login data for terminated accounts.
Has anyone implemented something similar? What would be the recommended approach in ISC — API automation, scheduled export, workflow, or another pattern?
@utkirjonkamiljanov Caution on on using the last login date from Active Directory, if it is configured to one DC. Because it takes 14 days for this attribute to be updates from across various DC’s.
If you are already retrieving the value from the account to identity, then you can just get all the details from the identity attributes itself. if not create an identity attribute and map it to the AD account attribute.
Since this is just a report, you can schedule a report, but i don’t think the scheduled report will include the attributes that you want in the report.
API automation would be the best and easy approach to create the reports that you want.
Further to what @kompala has mentioned, you can create a Saved Search and then set up a subscription with intended recipients. Recipients will have to have Search Admin role though
I’m going to be a pain in the butt and say that’s only a third of the requirements.
There’s report delivery mechanism to consider, report recipient management, report storage / repo, repo access / security, report info processing / validation… i.e. “I have a report, now what” kind of process.
Or is compliance only asking for a send-and-forget checkbox exercise?