I have a system administrator that manually runs a PowerShell script every few days which is meant to tell the user if users have been placed in two or more of the OU’s selected in the script. I would like Sailpoint to automatically run this script, but I can’t tell which type of rule is necessary. Seeing as the source is Active Directory, can anybody confirm if a “AfterModify” rule on the source connector is necessary?
Hi @davidballew , just to understand your requirement, does this PS script expects anything (like events - create/modify) from SailPoint as input, or it just needs to be scheduled to run on a periodic interval?
Hi Guarav,
The script checks that users are not in more than one group. It has historically been run manually by the admin, but we would like it run on a weekly interval if possible.
$g = @(“groupA”,”groupB”,”groupC”)
$g | ForEach-Object {
$b = $; Get-ADGroupMember -Identity $ | Select-Object SamAccountName, @{n=“ADGroup”;e={$b};}
} | Group-Object -Property SamAccountName |
Where-Object {$_.Count -gt 1};
Hi David,
I am not sure what exactly you are doing after getting this Report.
In case if your use case is, if user should not be there in more than 1 Group out of the mentioned 3 Groups then you can make use of SoD Policy Violations.
You can use Native Rules to automate this process as well. But this will notify for each and every individual user.
- Get groups (memberOf) from Account request
- If groups contains any of these (groupA, groupB, groupC) then check user groups in AD
- If user has any of the other 2 Groups then send email or some other action.
You can use this PowerShell script in both After Create (In case if user creates with more than 1 Group) and After Modify Native Rule.
Thanks
Krish
If the script is intended to run periodically against everybody, then I wouldn’t tie it to IdentityNow. I generally recommend using Windows Task Scheduler or some other tool your organization uses to schedule this on a periodic basis.
Krishna,
There are actually 300 groups that get checked in the PowerShell Script and each user can only be in one group as it relates to their geographic location in the organization. Our administrator wants it run on a schedule and to notify him a list of any users that have made their way into two groups.
It sounds like I have three different options to accomplish this task. Unfortunately, I’m unsure if I have licensing for SoD Policy Violations.
I don’t think you need a separate license for SoD policy violations. Just go to search page, you find it in left side.
You need to create 299 combinations, it is going to be huge task. If you get one more group you need to add the group in all combinations.
I feel it is better to schedule the PowerShell script in IQ Service server, let it run daily.
If the script is intended to run periodically (for e.g. weekly interval) then as @KevinHarrington suggested, best way would be to schedule the PS script using Windows Task Scheduler on the same server.
You don’t need IdentityNow to drive the PS script. Moreover, if the PS script needs any data from IdentityNow, you can modify the PS script and make API calls to IdentityNow to get the required data, if this is something you are looking after from IdentityNow.
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.