Birthright Roles only for New Users

Identity Security Cloud (ISC) ISC Discussion and Questions
,
1

Hi

We have requirements like below.

  1. We have a birthright AD role, with assignment criteria based on job code and cost center. When enabled in production, it will be assigned to 5,000 identities. However, the existing 1,450 identities do not have birthright AD role groups. Our client requires to assign the birthright AD roles only to new users.

Is there a way to do that?

2

Hi @pkumar22 ,

Criteria based assignment assigns the access to all the user, it can be new/existing users. It just checks the criteria, if matches then it will assign the access. SailPoint will not know if its new/existing user.

I can think of workflows here, you can go for scheduled trigger (you can run twice a day pr as per client’s preference), then get list of identities that got created in last 12 hrs (considering workflow run twice a day) and have “ABC” job code and cost center using a query. Then call API to submit a role/access request.

3

Hi @pkumar22,

Have you considered creating a transform that would flag these existing 1500 users.? May be based on their start date or some other criteria that is already available.

You can then use this identity attribute in the role membership criteria so that it can filter out the existing users.

2 Likes
4

You’d need some identity attribute which distinguishes new users from ,non-new, users. For example, using transforms, you can calculate a value based on date and add a value to that identity attribute:

If new users are considered for the first 30 days upon hiring:

Something with datecompare,

date1:hiredate+30days

date2=current_date

If date1<date2 , assign ,new_user, ,

else assign ,old_user,

In birthright role, add that new attribute as an criteria with the value of ,new_user,

6

In our case we created isJoiner identity attribute to validate new user based on start date which is coming from authoritative source

you can assign below transform to isJoiner attribute, it will give Yes if new user else No

"name": "Joiner Tranform",
    "type": "dateCompare",
    "attributes": {
        "firstDate": "now",
        "positiveCondition": "Yes",
        "operator": "lte",
        "negativeCondition": "No",
        "secondDate": {
            "attributes": {
                "input": {
                    "attributes": {
                        "values": [
                            {
                                "attributes": {
                                    "name": "startDate"
                                },
                                "type": "identityAttribute"
                            },
                            {
                                "attributes": {
                                    "value": "12/31/2999"
                                },
                                "type": "static"
                            }
                        ]
                    },
                    "type": "firstValid"
                },
                "inputFormat": "MM/dd/yyyy",
                "outputFormat": "ISO8601"
            },
            "type": "dateFormat"
        }
    }

then you can add this attribute in role and assign the Equal to “Yes”.

This will resolve your problem

1 Like
7

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.