Delay AD account disable during leaver process

IdentityIQ (IIQ) IIQ Discussion and Questions
1

How to delay AD account disable during leaver process?
I added Thread.sleep method for 1 min in the AD before provisioning rule-Disable operation but it is not working.

2

Hello Jespa,

Can you share the code which you are using in the before provisioning rule and are you encountering any error?

3

Hi Aishwarya,
I did not get any error.i have given part of the rule.

List acctReqs = plan.getAccountRequests();
if (acctReqs != null) {
for (AccountRequest eachAcctReq : acctReqs) {

  acctId = eachAcctReq.getNativeIdentity();
  appName = eachAcctReq.getApplicationName();
  operation = eachAcctReq.getOperation().toString();
  if(appName.startsWith("Active Directory")){
	  if ("Disable".equals(operation)) 
	 {
		/Thread.sleep(1000);
		   //For AD App - Disable
		modifyUser = new AccountRequest();
		modifyUser.setApplication(appName);
		modifyUser.setNativeIdentity(acctId);
4

acctId = eachAcctReq.getNativeIdentity();
appName = eachAcctReq.getApplicationName();
operation = eachAcctReq.getOperation().toString();
if(appName.startsWith(“Active Directory”)){
if (“Disable”.equals(operation))
{
Thread.sleep(1000);
//For AD App - Disable
modifyUser = new AccountRequest();
modifyUser.setApplication(appName);
modifyUser.setNativeIdentity(acctId);

5

You can alternatively try this -
sailpoint.tools.Util.sleep(int millis)
Pause for a specified number of milliseconds

6

It works, you have given 1000 milli sec which is 1 sec, that’s why you couldn’t find the difference, increase and test it.

However I would recommend you to look into Workflow wait concept as well.

Thanks
Krish

1 Like
7

hi Krishna,
I tested with 2 min,1 and 30 sec also but AD account is still active.
I ran AD account aggregation task also.
do I need to apply workflow wait concept within workflow?Could you plesae give some idea on this?

Regards,
Jespa

8

Hey @jespaancy did you check whether the code is going through the if block for disable?

9

Rule

  1. Make sure your disable operation is working fine.
  2. Add delay in your before provisioning Rule, observe the behavior. I guess it works.
  3. I have not come across this kind of implementation, i.e using thread sleep in Rule. But I feel this may not be a good approach. However it is subject to the requirements.

Workflow

  1. We use Leaver life cycle event to take care of all the leavers in the organization. Leaver will trigger a workflow, where you can use Wait concept in Workflow steps.
  2. You can create a separate step for AD disable operation with Wait which will be represented as
    <Step name="Wait for next check" wait="duration">
  3. Or you can add empty step with just waiting, no script in it then transition to AD Disable step.
  4. But this may take you to different direction if your IIQ is not using Leaver at all.

Thanks
Krish

1 Like
10

Yes, please listen to @KRM71 here!

Do NOT use thread.sleep in a Rule or workflow. Rather than just delaying your operation, you’re blocking one of IIQ’s limited pool of worker threads. You should use a Workflow “wait” step and/or a Request to delay the invocation by a certain period of time.

2 Likes
11

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.