BeforeProvisioing Rule (cloud), and afterModify (Connector

phil_awlings · September 2, 2024, 3:51pm

Scenario:
User changes OU and PS scripts add and remove entitlements based upon OU settings.

When I was using the UPDATE function and AC_NewParent to move OUs, the afterModify script would fail because the nativeIdentity was grabbing the value of before the move, and trying to update that after the user had moved DN’s.
So, I wrote a beforeProvisioning cloud rule to move the OU, which works fine, but doesn’t update the cube that quickly. However, the afterModify rule is still picking up the original DN rather than the new one.

Has anyone else come across this problem?

This snippet of code solves the issue, but I would have rather that it isn’t needed:

 $CN = $nativeIdentity.Substring(0, $nativeIdentity.IndexOf(","))
  $nativeParentOU = $nativeIdentity.Substring($nativeIdentity.IndexOf(",") + 1)

  if ($nativeParentOU -ne $AC_NewParent) {
    $nativeIdentity = "$CN,$AC_NewParent"
  }

nikhleshsdg · September 3, 2024, 5:55am

HI @phil_awlings,

You can get account details directly from AD in PS script which will have the correct OU and add/remove entitlements, or you can add wait time in PS script.

Thanks.

phil_awlings · September 3, 2024, 8:11am

Hi @nikhleshsdg

Thanks, but as I said, I’ve fixed the problem by updating the native identity.
I was frustrated that the beforeProvisioning rule hasn’t done what Sailpoint Expert Services said that it would do.

I was wondering if anyone else had come across this situation

Phil

shekhardas1825 · September 3, 2024, 9:09am

@phil_awlings This is how it will work as even if you set the AC_NewParent in the BeforeProvisioning rule the requestObject will still have the same nativeIdentity (with old OU).

So in afterModify script you wont be able to find the user with nativeIdentity as the OU is already changed and nativeIdentity is not exist.

So we definitely need to prepare the new nativeIdentity (using CN and new OU) to get or provision the access to the account after OU is changed.

phil_awlings · September 3, 2024, 9:15am

Hi,

I think that this is the prime example of why the native identity needs to be changed to the GUID.

Thanks
Phil

phil_awlings · September 3, 2024, 3:30pm

I think that I might have resolved my issue with the following fudge:
Much more testing to do, but currently seems stable

  function Get-ProcessedUser($nativeIdentity, $logFile) {
    try {
      # Retrieve the user initially to get the objectGuid
      $initialUser = Get-ADUser -Identity $nativeIdentity -Properties objectGuid
      if ($initialUser) {
        $objectGuid = [System.Guid]::Parse($initialUser.objectGuid).ToString()
            
        # Retrieve the user again using the objectGuid
        $user = Get-ADUser -Identity $objectGuid -Properties sAMAccountName, employeeType, extensionAttribute15, MemberOf, objectGuid
        return $user
      }
    }
    catch {
      Add-Content $logFile "`n Error processing user $($nativeIdentity): $($_.Exception.Message)"
    }
    return $null
  }

dopstrick · September 3, 2024, 7:51pm

You can get the new distinguished name in the After Modify script by pulling it from the resultObject.

Code is below. It pulls the DN from the request first, then checks the result to see if dn was one of the modified attributes

$sReader = New-Object System.IO.StringReader([System.String]$env:Request);
$sResult = New-Object System.IO.StringReader([System.String]$env:Result);
	
# Form the xml reader objects
$xmlReader = [System.xml.XmlTextReader]([sailpoint.utils.xml.XmlUtil]::getReader($sReader));
$xmlReader_Result = [System.xml.XmlTextReader]([sailpoint.utils.xml.XmlUtil]::getReader($sResult));

# Create SailPoint objects          
$requestObject = New-Object Sailpoint.Utils.objects.AccountRequest($xmlReader); 
$resultObject = New-Object Sailpoint.Utils.objects.ServiceResult($xmlReader_Result);

#get the NativeIdentity
$dn = $requestObject.nativeIdentity
	
#check result for change in DN
$dist = $resultObject.Attributes.distinguishedName
if ($dist -ne $null){
	$dn = $dist
}

phil_awlings · September 4, 2024, 10:49am

Thank you,
That is a much more efficient way of doing it

dopstrick · September 4, 2024, 12:35pm

You can also get the specific domain controller that was used (in case your worried about replication issues):

$dc = $resultObject.Attributes.createdOnServer

system · November 3, 2024, 12:36pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
AfterModifyRule + AD OU moves ISC Discussion and Questions rules , identity-security-cloud , connectors	7	99	October 1, 2024
AD before provisioning rule to move OU on disable ISC Discussion and Questions identity-security-cloud	1	1277	July 19, 2023
ConnectorAfterModify - cloudPreviousValues ISC Discussion and Questions rules , identity-security-cloud	4	84	August 23, 2024
AC_NewParent: Account Profile or Rule ISC Discussion and Questions identity-security-cloud , provisioning	5	997	January 20, 2024
Ensuring DN Uniqueness moving AD Accounts using AC_NewParent ISC Discussion and Questions rules , identity-security-cloud	6	609	April 1, 2024

BeforeProvisioing Rule (cloud), and afterModify (Connector

Related topics