Greetings, I have a requirement to change the Identity Profile of the Identity based on their current persona.
We have two authoritative sources (Source type JDBC) and two identity profiles for Staff and Faculty. The Staff Identity Profile have greater priority over the Faculty Identity Profile. We are disabling the Account deletion on both Authoritative Sources. So the accounts will not get deleted even after the user records are dropped from the feed.
When there is a conversion where the Faculty User become Staff, because of the Staff Identity Profile priority the Identity Profile is rightly changing to Staff Identity Profile from Faculty Identity Profile. But when the conversion haveppens from Staff to Faculty persona, the Identity Profile will not get changed.
Is there any way I can update the Identity Profile value automatically based on the Persona and End Date of the User?
Appreciate your help.
Thankyou.
Unfortunately there is no API to update identity object. We had similar requirement, and had to take an alternative approach
- Setup a transform to calculate the user’s authoritative source (assuming there’s a start date for conversion or an attribute that determines a user is converting from Staff to Faculty or vice-versa)
- On all the attributes, call (reference) the above transform and based on the output of above (Staff or Faculty), populate the relevant value accordingly on the identity
Although the identity profile remains Staff, the attributes are populated for Faculty
Thankyou for your responce @sameer_raghuraj. I will try this method.
I have missed mentioning one more detail in the post, Once the user End Date is reached the user record will be dropped from the Authoritative Source Feed. I am also trying another approaher here,
- In the event where the Staff user is coverting to Faculty user, after user reaches the End Date as staff persona the record will be dropped from the Feed.
- Once the record is dropped from the Staff Feed and the user record is added to the Faculty feed, l will Delete / Remove the account from the Staff JDBC Auth Source using workflow.
- Now the user will be having the account only in One Auth Source Faculty JDBC and identity will follow the Faculty Identity profile.
I am yet to test this approach on the JDBC source, When I tried it on the CSV Test sources it worked and gave expected results.
Please feel free to share your thoughts on this approach.
Again, thankyou for providing your views.
Hi @Keethanmadalab , As JDBC is the Auth source, will SailPoint be able to delete the records via workflows or any other approach? as the auth feed is managed by HR
Workflow should be setup with source account deleted trigger on the HR feed source, perform Get Accounts action on the identity(input from trigger), configure Manage Accounts action to Delete JDBC account (appropriate JSON path required). On the JDBC provisioning rule, implement Delete account functionality to remove the entry from db
Hi,
On the staff source, filter on current users only. That way, once they have been disabled they will drop from the source, and the faculty profile will take precedence. You will have to re-enable the delete function though
Hi Phil, I am using JDBC Build Map Rule on the Auth Source for a different requirement and also added a small code block to update the Last Aggregation Time Stamp. Based on this I am determining whether the account is present in the Feed or not. Client wants to disable the Deletion on Auth Source.
Thanks for your idea Sameer. I have checked with client, they do not want to delete the account in the Database.
Thankyou All for your replies.
To solve this issue, I am using an Identity Attribute to trigger the Workflow and Remove the JDBC Account.
The Identity Attribute will be calculated through a transform based on few conditions like
(Persona = Staff && Present in Staff Feed == No && Present in Faculty Feed == Yes)
I have an account attribute which tells me when is the last time the user account is present in the Feed (Using JDBC BuildMap Rule). Based on that I am determining whether the account is present in the Auth Source Feeds.
Using this Identity Attribute I will trigger the Workflow. In the Workflow I am using the “Remove Account” API call delete-account-async | SailPoint Developer Community and removing the account.
This will happen only if the user account is added to the Faculty Source and already dropped from the Staff Source. Once the Staff account is removed, Identity will change to Faculty Identity Profile as the Faculty account is already correlated.
A bit lengthy process, But I am using this approach to preserv the Identity even after the user account is dropped from the Auth feed (Do not want to Enable the Account Deletion on Auth Source)
Please feel free to share your thoughts.
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.