Deploy Services Standard Rule

Irshaad_Laher_WS · August 18, 2024, 8:56pm

Hi All

The Service Standard Rule by SailPoint on the mock project is an awesome option for many AD use cases, like scrambling passwords, deleting accounts, moving OUs, etc.

I’ve read many posts about people advising to use this rule of such use cases and several mentioning that you can deploy this rule yourself but I can’t seem to find any documentation on how to do this, can anyone advise or point me in the right direction.

Also, on the mock project page, I see this disclaimer and note:

For anyone who have deployed this in customer environments, what process did you use to get approval before deploying the rule?

@colin_mckibben , are there any plans to make this rule actually standard with all tenants as I’m sure this would benefit a lot of customers across their AD use cases?

Thanks
Irshaad

shekhardas1825 · August 19, 2024, 4:30am

@Irshaad_Laher_WS I have not used this rule personally but Service Standard rule needs to be deployed once (It will require expert services to deploy the rule) and does not require multiple deployment unlike before provisioning rule (as the business logics are applied on the source level).

Please refer below resolved post:
Services Standard Before Provisioning Rule - Identity Security Cloud (ISC) / ISC Discussion and Questions - SailPoint Developer Community

You will find the use cases that can be achieved in the mock project.

Lets see the responses from other experts.

Regards,
Shekhar Das

ts_fpatterson · August 19, 2024, 12:00pm

Once a cloud rule has been deployed to a tenant, it can be exported with the vscode extension or the API and updated into a different tenant. You can do this with any rule that has been vetted by SailPoint and has been deployed by SailPoint.

My recommendation would be to have SailPoint deploy it to the customer environment. 1) if they implement it into a production environment then the disclaimer of it only being used for a mock project seems to be null and void as SailPoint deployed it. 2) The version I have might be different from what SailPoint is currently deploying. Asking SailPoint to deploy it will allow you to have the most updated version.

Once it is deployed you can export it and review the rule logic for personal understanding and even to write your own rule. When you choose to deploy it to a different tenant, such as a devrel, partner tenant, etc; you can then do a comparison of the source it is being used by.

On the source you are using the rule, you will need to update it to reference the rule:

"accountCorrelationRule": null,
    "managerCorrelationMapping": null,
    "managerCorrelationRule": {
        "type": "RULE",
        "id": "f58c1c57af7e45efa5c669fcbefd5f38",
        "name": "Cloud Correlate Manager by AccountId"
    },
    > ***"beforeProvisioningRule": {***
> ***        "type": "RULE",***
> ***        "id": "35be5905dbcd47ec81c9e174b49a64a9",***
> ***        "name": "Services Standard IdentityNow BeforeProvisioning Rule"***
> ***    },***
    "schemas": [
        {
            "type": "CONNECTOR_SCHEMA",
            "id": "894a9fc01b8948458fc38bea6dcb9457",
            "name": "account"
        },

Under the connector attributes on the source you will need to add the parameters / logic for the rule for that connector. Below is a sample, not a default config or intended for customers.

"cloudServicesIDNSetup": {
            "eventConfigurations": [
                {
                    "eventActions": [
                        {
                            "Action": "ThrowError",
                            "Attribute": null,
                            "Value": "Identity is not Ready. Stopping provisioning."
                        }
                    ],
                    "Identity Attribute Triggers": [
                        {
                            "Attribute": "samaccountname",
                            "Value": "None",
                            "Operation": "eq"
                        }
                    ],
                    "Operation": "Create"
                },
                {
                    "eventActions": [
                        {
                            "Action": "ChangeOperation",
                            "Attribute": null,
                            "Value": "Delete"
                        }
                    ],
                    "Account Attribute Update Triggers": [
                        {
                            "Attribute": "extensionAttribute1",
                            "Value": "termDeleted",
                            "Operation": "eq"
                        }
                    ],
                    "Operation": "Modify"
                }
            ]
        },

You would also need to add this to the connector attributes section:

"beforeProvisioningRule": "Services Standard IdentityNow BeforeProvisioning Rule",

colin_mckibben · August 19, 2024, 6:22pm

There aren’t any plans that I’m aware of. Expert Services owns these rules, so you could try asking them next time you engage with their team.

system · October 18, 2024, 6:23pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Services Standard Before Provisioning Rule ISC Discussion and Questions rules	2	1634	July 19, 2023
Ask for some guidance with cloud rules ISC Discussion and Questions rules , identity-security-cloud	3	768	June 29, 2023
Service Standard rules retrieval using API in IDN ISC Discussion and Questions rules , identity-security-cloud	3	95	September 13, 2024
Services Standard Before Provisioning Rule ISC Discussion and Questions rules , identity-security-cloud	8	2686	April 2, 2024
SailPoint “Services Standard BeforeProvisioning Rule" ISC Discussion and Questions rules , identity-security-cloud	6	1176	July 19, 2023

Deploy Services Standard Rule

Related topics