Please be sure you’ve read the docs and API specs before asking for help. Also, please be sure you’ve searched the forum for your answer before you create a new topic.
We have a use case to delete a users AD account after 90 days of termination.We have tried to implement transforms for LCS state which will move the user to delete state .
Has anyone implemented similar kind of requirement.Please share.
Thanks
HI @haricc200 ,
That’s the right approach. We need to handle it via LCS. You can write a logic in transform where user moves from “terminate” to “delete” LCS after 90 days of end date. Thean in Identity profile you can add the AD source directly in delete accounts list.
You are right you can use the below methods
Method one
1- Create a LCS state which will help you to move the user into delete state using a transform where you can use mostly date compare transform
2- For the LCS state delete enable the AD accounts since they are disabled currenlty
3-Write a before provisioning rule in AD to capture this enable event and LCS and delete the account
Method two (use new feature delete)
1- Create a LCS state which will help you to move the user into delete state using a transform where you can use mostly date compare transform
2- For the LCS state delete trigger delete operation which is a new features available
Let me know if any help required
Thanks
Thanks @schattopadhy
Can you share some sample transforms for the same
As others mentioned, your approach is correct, and I would leverage the delete account feature New Capability: Delete Accounts on Termination via Lifecycle Management - Announcements / Product News - SailPoint Developer Community which comes with its own advantages like it is auditable, cost effective only if your source supports delete operation. If the source does not support, then you may think about the cloud rules (either before provisioning rule or Services Standard before provisioning rule)
Below is a sample transform with only 90days calculation based on end date, you can add more conditions based on your scenario.
{
"name": "Calculate delete LCS",
"type": "static",
"attributes": {
"day90Term": {
"attributes": {
"negativeCondition": "FALSE",
"positiveCondition": "TRUE",
"firstDate": {
"attributes": {
"input": {
"attributes": {
"values": [
{
"attributes": {
"attributeName": "END_DATE",
"sourceName": "HR Source"
},
"type": "accountAttribute"
},
"12/31/9999"
],
"ignoreErrors": "true"
},
"type": "firstValid"
},
"inputFormat": "MM/dd/yyyy",
"outputFormat": "ISO8601"
},
"type": "dateFormat"
},
"secondDate": {
"attributes": {
"input": {
"attributes": {
"expression": "now-90d/d"
},
"type": "dateMath"
},
"inputFormat": "yyyy-MM-dd'T'HH:mm",
"outputFormat": "ISO8601"
},
"type": "dateFormat"
},
"operator": "lte"
},
"type": "dateCompare"
}
},
"value": "#if ($day90Term == 'TRUE')delete#{else}others#end"
}
Hello, Hari Kumar.
Hope you are doing great.
To complement the other answers given previously, follow below a transform example that we have used recently and may help you to build your own.
The status in this case of the example would be like this:
• preLeaver → still active, but with status 0 and no inactivation data coming up.
• preInactive → status 0, already within the pre-inactivation window (after 06:00pm, customer time).
• inactive → status 0 and has already passed the inactivation data stage (after 15 days).
{
"type": "static",
"attributes": {
"status": {
"type": "accountAttribute",
"attributes": {
"sourceName": "AuthoritativeSource",
"attributeName": "COD_ESTADO_OCUPACION"
}
},
"fechaInativa": {
"type": "firstValid",
"attributes": {
"values": [
{
"type": "dateCompare",
"attributes": {
"firstDate": {
"type": "dateMath",
"attributes": {
"expression": "+15d",
"roundUp": false,
"input": {
"attributes": {
"input": {
"attributes": {
"sourceName": "AuthoritativeSource",
"attributeName": "FEC_RETIRO"
},
"type": "accountAttribute"
},
"inputFormat": "yyyyMMdd",
"outputFormat": "ISO8601"
},
"type": "dateFormat"
}
}
},
"secondDate": {
"type": "dateMath",
"attributes": {
"expression": "now",
"roundUp": false
}
},
"operator": "lt",
"positiveCondition": "yes",
"negativeCondition": "no"
}
},
"none"
]
}
},
"fechaPreinativa": {
"type": "firstValid",
"attributes": {
"values": [
{
"type": "dateCompare",
"attributes": {
"firstDate": {
"type": "dateMath",
"attributes": {
"expression": "+18h",
"roundUp": false,
"input": {
"attributes": {
"input": {
"attributes": {
"sourceName": "AuthoritativeSource",
"attributeName": "FEC_RETIRO"
},
"type": "accountAttribute"
},
"inputFormat": "yyyyMMdd",
"outputFormat": "ISO8601"
},
"type": "dateFormat"
}
}
},
"secondDate": {
"type": "dateMath",
"attributes": {
"expression": "now-5h",
"roundUp": false
}
},
"operator": "lt",
"positiveCondition": "yes",
"negativeCondition": "no"
}
},
"none"
]
}
},
"listaBlanca": {
"type": "reference",
"attributes": {
"id": "BCP-GetExceptionStatus"
}
},
"value": "#if($status == '0' && $fechaInativa == 'no' && $fechaPreinativa == 'no' && $listaBlanca == 'false')preLeaver#elseif($status == '0' && $fechaInativa == 'no' && $fechaPreinativa == 'yes' && $listaBlanca == 'false')preInactive#elseif($status == '0' && $fechaInativa == 'yes' && $listaBlanca == 'false')inactive#end"
}
},
Hope it helps.
@haricc200 please find a sample transform
{
"name": "Transform-LCS",
"type": "static",
"attributes": {
"attributeValue": {
"attributes": {
"firstDate": {
"attributes": {
"expression": "now-<n>d",
"roundUp": false
},
"type": "dateMath"
},
"negativeCondition": {
"attributes": {
"value": "terminate"
},
"type": "static"
},
"operator": "gte",
"positiveCondition": {
"attributes": {
"value": "delete"
},
"type": "static"
},
"secondDate": {
"attributes": {
},
"type": "firstValid"
}
},
"type": "dateCompare"
},
"userStatus": {
},
"value": "$attributeValue"
},
"internal": false
},
@kevisoliveira i will look into this transform and try to implement thanks for your great help
@schattopadhy thanks for your help
@schattopadhy was able to use this since we have two states terminate and delete.We were able to use the format mentioned