We would like to create the AD account in disabled status, during prehire lifecycle state. We can use IIQDisabled attribute and use before provisioning rule to set it, but is any other way can we achieve this?
You should have below Life Cycle States (LCS)
- Pre-Hire
- Active or Joiner
- Inactive or Leaver
- Deleted (After 30 days of last date)
Implementation
- Set LCS as Pre-Hire, create AD account in disabled state
- Move user to Active once the start date arrives
- In Active LCS, enable the AD account with below config
User gets enabled automatically.
Thanks
Krish
3 Likes
@MVKR7T
First use case itself not working, in pre-hire state, the AD account is getting created in enabled status instead of disable status. Weāve all LCS in place already, but not sure is the product behavior why the account creating in enable status, even we checked the check box Disable accounts
Use User Account Control (UAC) to create account in disabled status which is 514, for enabled status 512.
It may be because, there may be two different plans generated. As one will be for create account in AD and other for disabling it. Plan can be generated at any order. So, the account got created and in enable state. Disable operation may not be get triggered itself, as there is no identity.
1 Like
Use āIIQDisabledā attribute on AD create account section and send false value to create account in disabled state.
1 Like
What is the purpose of IIQ Disabled attribute ?
Every source has different attribute that defines status of it, some of them are
- Status
- Employee Status
- Active
- Inactive
- ā¦etc
How do you know if an account is enabled or disabled, do you search for an attribute inside account data ? But you might not know the attribute name.
That is where we use IIQ Disabled. You set IIQ Disabled true if account is disabled/inactive while aggregation.
IIQ Disabled is only for SailPoint not for Target sources.
Can you use an attribute in Provisioning Policy form which doesnāt exist in source ?
For AD, we use User Account Control (UAC) to control account status.
Thanks
Krish
2 Likes
yeah, as @MVKR7T told, we would use UAC User Account Control to control account status.
When the account gets created in AD, initially it contains UAC value as 512 (0x200 in Hexadecimal). When the account is disabled the value changes to 514 (0x202 in Hexadecimal).
So, in your case, first during the creation of a new user account, set the UAC value to 514. When the user becomes āActiveā (for example, when they are ready to start using the account), update the UAC value to 512.
1 Like
Hi Seemarani,
Try creating without setting the password, the account will get created in disabled state. Alternatively, we need to disable the account after its created in enabled state explicitly though a workflow.
Regards
Arjun
1 Like
Hi @Shonnegowda,
We can create a transform based on LCS to say, if LCS = active: IIQDisabled = false else true. A simple lookup transform in create profile.
And in provisioning tab of identity profile enable the AD account on active LCS.
-Abhinov
Thanks, everyone, Iāll try it
Connector will take care of which attribute needs to be set based on āIIQDisabledā flag.
Ex: AD connector will internally send UAC value as 512/514 when āIIQDisabledā flag is true/false.
1 Like
Iāve created the same. But Iām not able to test the scenario, when the user moved from prehireā> active state, where it should enable the AD account automatically. Iāve added the transform in update policy
Hi Seemarani Honnegowda,
You can create a LCS for PreHire and Active. Provisioning tab, you can disable the AD account for Pre-Hire and in Active LCS, enable the AD account if the user is moving from Prehire to Active.
Thanks,
Prasanna Ramaiah
@Shonnegowda I have not practically tested this but you can surly try this:
Write a transform (it can be a identity attribute or directly in create profile mapping) to check the cloudlifecycleState if it is prehire then set āIIQDisabledā as ture or false based on your requirement.
Regards,
Shekhar Das
@Anshu_Kunal As you mentioned the UAC value should set automatically as per the IIQDisabled.
During initial AD account creation, the AD account status is setting properly if its prehire then in disabled mode with UAC as 514 and vice versa for rest of the status 512 as UAC value.
Iām facing an issue, when the user changed from prehireā>active state. My expectation would be AD account in IDN will be active, this is happening, but UAC value is not getting changed to 512. How do we take care of this update case.
Iāve the transform created to set the IIQDisabled, which is added in both create and update policy, but update is not working.
{
ānameā: āIIQDisabled-ADā,
ātypeā: ālookupā,
āattributesā: {
āinputā: {
ātypeā: āidentityAttributeā,
āattributesā: {
ānameā: ācloudLifecycleStateā
}
},
ātableā: {
āprehireā: āTRUEā,
ādefaultā: āFALSEā
}
},
āinternalā: false
}
1 Like
You need to handle this under identity profilies section.
To enable or disable accounts for users who enter this lifecycle state:
- Under Settings for Previous Accounts, select Configure Changes.
- Under Account Configuration Options, choose Enable Accounts or Disable Accounts. You can also select both, assigning different sources to each.
- Choose which sourcesā accounts to enable or disable from the list of available sources. Select + Add after each selection.
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.