Azure PIM Provisioning Policy

Feedback Documentation Feedback Connectivity Documentation Feedback
,
1

Specifies the duration for which role needs to be assigned to user from current time.

This is the companion discussion topic for the documentation at https://documentation.sailpoint.com/connectors/microsoft/entra_id/help/integrating_entra_id/azure_pim_provisioning_policy.html
2

Dear Developers,

From this documentation I do not understand where to set the attributes like the duration for example and where to pass them.

Please could you review the documentation and be more descriptive on what policy to use and how an example of hte policy could look like, rather than the output ?

Thank you !

1 Like
5

Hi Adam! Thank you for your input. We’ve created a Jira issue to track the effort, and we’ll update the comment thread when it’s been addressed: CONDOCS-5827

Thanks.

6

I’m in the same boat here. It is not clear where I need to update the source to enable adding these helpful values to Entra PIM assignments.

7

It is a beforeprovisioning rule to be attached to the source.
Below you can find a code snippet, just make sure to include all your other rules you might have for different attributes or account creation,disabling etc. So don’t take this as gospel :smiley: :

<![CDATA[
import sailpoint.object.ProvisioningPlan;
import sailpoint.object.ProvisioningPlan.AccountRequest;
import sailpoint.object.ProvisioningPlan.AttributeRequest;
import sailpoint.object.Attributes;
import java.util.HashMap;
import java.util.Map;

// Log rule execution
log.info("Executing Before Provisioning Rule for all applications");

    // Iterate over all account requests in the provisioning plan
    for (AccountRequest accountRequest : plan.getAccountRequests()) {

      // Iterate over all AttributeRequests
      for (AttributeRequest attributeRequest : accountRequest.getAttributeRequests()) {

          // Target azureADActiveRoles and azureADEligibleRoles AttributeRequests
          if ("azureADActiveRoles".equals(attributeRequest.getName()) ||
              "azureADEligibleRoles".equals(attributeRequest.getName())) {

            // Create MAP duuuuuh
            Map argsMap = new HashMap();
            argsMap.put("duration", "permanent");

            // Wrap the MAP inside Attributes object
            Attributes attributes = new Attributes();
            attributes.putAll(argsMap);

            // Set arguments in the attribute request
            attributeRequest.setArguments(attributes);

            // Log for testing
            log.info("Successfully set duration to: permanent");
          }
      }
    }
  ]]>
2 Likes
8

Hello Adam, what type of BeforeProvisioning rule are you referring to?
From your snippet it looks more like a Web Services rule rather than an Azure/Entra ID rule with PowerShell scripting. Where exactly are you attaching this?
I’m currently working on something similar but in a Before Modify Azure/AD rule. Am I missing something here?

9

Adam, I just realized this is a Cloud BeforeProvisioning Rule. Sorry for the confusion :sweat_smile:

1 Like
10

haha no worries We had some issues with a null pointer (when the request was for anything else than azureADActiveRoles or azureADEligibleRoles), so we added this line to the cloud rule - just FYI so you don’t run into the same :smiley:

  // Safely grab the list of AttributeRequests (skip if null)
  List<AttributeRequest> attributeRequests = accountRequest.getAttributeRequests();
  if (attributeRequests == null) {
    continue;
  }
1 Like