Check account creation exist in every 15 minute by workflow

Identity Security Cloud (ISC) ISC Discussion and Questions
,
1

We have to send an email if lifecycle prehire and AD account created. We have to wait email until account is not created. In case account is not creating in 15 minute workflow should validate again after 15 minute

2

Hi @aashish_singhal1 ,

Below is the high-level workflow and steps I can think of

  1. Use “Identity Created” trigger and filter out for prehires.
  2. Add “Wait” step for 15 mins(there is ensure if user has AD account created within 15 mins)
  3. Get the account for the identity using “Get Accounts”

image
image358×517 7.45 KB

4. Use “loop” operator to loop each of the source accounts
5. Use compare operator to check if AD source ID exists
6. If true, send email with AD accounts details
7. If false, send email for no AD account

image
image949×628 29 KB

3

Why not use “Source Account Created” trigger?

Once account is created in Active Directory, trigger the workflow with "Source Account Created" trigger. If account is created in AD after 15 minutes, I suggest you to use "Source Account Created" trigger and pull the identity in workflow and check your lifecycle state. Then send email accordingly. That would be your optimal option.

Thanks.

1 Like
4

Hi Teaja, Thanks for reply. I can we define this loop will be execute 3 time if account does not exist? I am just testing email in loop but not working

Screenshot 2025-04-02 193159
Screenshot 2025-04-02 1931591096×408 26.2 KB

LoopSize
LoopSize1068×586 22.4 KB

5

Depends on whether there’s any other additional consideration(s), here’s a potential alternative:

  1. Map the AD source’s distinguishedName attribute to an identity attribute.
  2. Configure AD delta aggregation every 5 / 10 / 15 minutes…take a pick.
  3. Have a workflow trigger on identity attribute change.
  4. In workflow, filter on old attribute value is empty, and new attribute value is not empty (i.e. now has an account), and also read in the identity state to determine if you need to send an email or not.

This approach covers the happy path of IDN-created AD account, as well as the less happy path where manual / out-of-band account creation was needed (for whatever reason). In both cases, the email will be sent once ISC sees the account. Takes the workflow wait loop out of the equation.

#Plan for one degree of failure

6

Hi @aashish_singhal1,
The best way to achieve this is using Provisioning Completed Trigger

and have the following filter added
$.accountRequests[?(@.provisioningResult == ‘committed’ && @.provisioningTarget == ‘Your Source Name’ && @.accountOperation==‘Create’)

This way your requirement will be achieved. You dont need to worry to wait for 15 minutes and send the email after that.

Let me know if you face any issue while implementing the same.

Thanks
Rakesh Bhati

7

I agreed this is solution. My question more about loop, in any case we have to iterate any loop by given number of time then how can we do ?