Disable and Move AD account Based on LCS

Hi,

We need to implement a change regarding Active Directory (AD) accounts for users on leave of absence and those who are inactive. Specifically, when an LCS user is marked as leave of absence, we should disable their AD account. Additionally, for inactive LCS users, we want their accounts to be disabled and moved to a designated Disabled OU.

Currently, we have Disable provisioning policies in place, but we need to adjust these settings to address our requirements effectively.

Any thoughts or suggestions on how to proceed with this?

{

"name": "Disable Account",

"description": disable account,

"usageType": "DISABLE",

"fields": \[

  {

    "name": "AC_NewParent",

    "transform": {

      "attributes": {

        "value": "OU=DisabledUsers,DC=XXX,DC=XXX"

      },

      "type": "static"

    },

    "attributes": {

      "cloudRequired": "true"

    },

    "isRequired": false,

    "type": "string",

    "isMultiValued": false

  },

  {

    "name": "msExchHideFromAddressLists",

    "transform": {

      "attributes": {

        "value": "true"

      },

      "type": "static"

    },

    "attributes": {},

    "isRequired": false,

    "type": "boolean",

    "isMultiValued": false

  }

\]

}

Thanks!

Hello @tejadidm ,

Welcome to the SailPoint Developer Community !!

Based on my understanding you want to implement below :

a) For Leave of Absence (LOA) → Disable AD account only
b)For Inactive user → Disable AD account + Move to Disabled OU

Try to use below code:

{
”name”: “Disable Account”,
“description”: “disable AD account for LOA and Inactive users,
“usageType”: “DISABLE”,
“fields”: [
{
“name”: “AC_NewParent”,
“transform”: {
“type”: “conditional”,
“attributes”:  {
“expression”: “$identity.employmentStatus == ‘Inactive’”,
“positiveCondition”: “OU=DisabledUsers,DC=XXX,DC=XXX”,
“negativeCondition”: null
}
},
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “msExchHideFromAddressLists”,
“transform”:  {
“type”: “static”,
“attributes”:  {
“value”: “true”
}
},
“type”: “boolean”
}
]
}

For LOA, You can directly configure in Lifecycle Mangement section of Identity profile.

For Inactive user usecase, try adding the provisioning policy explained in the previous post by @Pankaj_IAM_SailPoint

To disable AD accounts, you can manage through life cycle state. Once the life cycle state transitions to Disabled, the disable operation will be triggered and the provisioning policy can move the account to the Disabled OU.

Hi @Pankaj_IAM_SailPoint

Thank you, I tried this and no action when account is inactive or leaveofabsence.

{
“name”: “Disable Account”,
“description”: “disable AD account for LOA and Inactive users”,
“usageType”: “DISABLE”,
“fields”: [
{
“name”: “AC_NewParent”,
“transform”: {
“type”: “conditional”,
“attributes”: {
“expression”: “$identity.cloudLifecycleState == ‘inactive’”,
“positiveCondition”: “OU=DisabledUsers,DC=Test,DC=com”,
“negativeCondition”: null
}
},
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},
{
“name”: “msExchHideFromAddressLists”,
“transform”: {
“type”: “static”,
“attributes”: {
“value”: true
}
},
“attributes”: {},
“isRequired”: false,
“type”: “boolean”,
“isMultiValued”: false
}
]
}

As you need to carry out 2 different operations when account is Disabled, in my opinion SSI Rule is your best choice.

Check this post for more details on rule

Hello @tejadidm , Can you try below code -

{
  "name": "Disable Account",
  "description": "disable AD account for LOA and Inactive users",
  "usageType": "DISABLE",
  "fields": [
    {
      "name": "AC_NewParent",
      "transform": {
        "type": "conditional",
        "attributes": {
          "expression": "$employmentStatus  eq InActive",
          "positiveCondition": "$disabledOU",
          "negativeCondition": "null",
          "$employmentStatus": {
            "attributes": {
              "name": "email"
            },
            "type": "identityAttribute",
            "name": "Identity Attribute Transform"
          },
          "disabledOU": {
            "attributes": {
              "value": "OU=DisabledUsers,DC=XXX,DC=XXX"
            },
            "type": "static"
          }
        }
      },
      "type": "string",
      "isMultiValued": false
    },
    {
      "name": "msExchHideFromAddressLists",
      "transform": {
        "type": "static",
        "attributes": {
          "value": "true"
        }
      },
      "type": "boolean"
    }
  ]
}

Hi @IAMpdu

Thank you, no action when cloudlifecyclestate change to leaveofabsence or inactive.

image1265×293 14.9 KB

Hi @tejadidm! Can you try bellow approach please. Thanks

1. Create Conditional transform

{
    "name": "disableOU-test-logic",
    "type": "conditional",
    "attributes": { 
        "expression": "$lifecycleState eq inactive", 
        "positiveCondition": "$disabledOU",
        "negativeCondition": "",
        "lifecycleState": { 
            "type": "identityAttribute", 
            "attributes": { 
                "name": "cloudLifecycleState"
             }
         },
         "disabledOU": { 
             "type": "static",
             "attributes": {
                 "value": "OU=DisabledUsers,OU=People,DC=XXX,DC=XXX"
             }
         }
     }
}

2. Please Use reference transform in the Disable policy

{
     "name": "DisableOU",
     "description": null,
     "usageType": "DISABLE",
     "fields": [ 
        { 
           "name": "AC_NewParent",
           "transform": { 
               "attributes": { 
                  "id": "disableOU-test-logic" 
               },
               "type": "reference",
               "name": "DisableOU Ref Transform"
           },
           "attributes": {},
           "isRequired": false,
           "type": "string",
           "isMultiValued": false
        }
     ]
}

Hi @Tursun Should I map the transform to AD DistinguishedName attribute?

Hi, no need to map it. Just use reference transform in the Disable policy.

Alternatively you can create two Identity attributes for mapping where the OU should be and where it is, and use this disparity to force the move:
See my post here:
Substring Transform within Workflow - Identity Security Cloud (ISC) / ISC Discussion and Questions - SailPoint Developer Community

Hi @Tursun I am not seeing account disable or account disable and move on both scenarios.

Thank you

Hi @tejadidm Silly question, but have you associated disable account with the lifecycle states?

Hi @j_place Yes, source is already in both lifecycle states.

Hi,
Just ticking all boxes, you have added the source to both LCS in the identity profile to disable the source?

Hi @PhilRawlings1

Yes, i added AD source in both leaveofabsence and inactive identity profile, while testing I noticed when identity status change to leaveofabsence I see AD account is disabling, but when status change to inactive I am not seeing account is disabling.

I had a similar senario, where in the disable provisioning policy form we checked ”cloudlifecyclestate” value.

1.In case of LOA what is the “cloudlifecyclestate” state value. Depending on that value, just disable the account.

2.For Disabled accounts, cloudlifecyclestate is inactive, check it and AC_newparent vallue as well and move the accounts to disabled OU.

Do you have disable policy?

Same here, I had a similar scenario as well and I proposed this earlier in the chat.