DISABLE Provision Policy update the accountExpires attribute in AD

mgrant · March 27, 2025, 10:52pm

Hi Team,

I have created a DISABLE Provisioning policy and it is working as expected. I would like to update the accountExpires attribute in AD with the same date the account is disabled by the provisioning policy.

Is this something that can be done in the DISABLE provision policy I created below?

{
    "name": "Disable Account",
    "description": null,
    "usageType": "DISABLE",
    "fields": [
        {
            "name": "AC_NewParent",
            "transform": {
                "type": "static",
                "attributes": {
                    "value": "OU=,OU=Users,OU=,OU=,DC=,DC="
                }
            },
            "attributes": {},
            "isRequired": false,
            "type": "string",
            "isMultiValued": false
        },
        {
            "name": "description",
            "transform": {
                "type": "static",
                "attributes": {
                    "disabledate": {
                        "type": "dateMath",
                        "attributes": {
                            "expression": "now",
                            "roundUp": true
                        }
                    },
                    "value": "Deprovisioned on $disabledate "
                }
            },
            "attributes": {},
            "isRequired": false,
            "type": "string",
            "isMultiValued": false
        }
    ]
}

David_Norris · March 27, 2025, 10:58pm

A date format to EPOCH_TIME_WIN32 should do the trick.

mgrant · March 27, 2025, 11:02pm

Hi Terry - thanks for chiming in - am I able to add it in the Provisioning policy itself or would I need a transform or BP rule? I was hoping there was a way I could add it in the Source Provisioning policy or the source config.

JackSparrow · March 28, 2025, 4:18am

Hi @mgrant ,

It can be done both the ways using BP and DISABLE Prov policy. Its best to use Prov policy. Just add below transform to your existing disable prov policy.

{
    "type": "static",
    "attributes": {
        "value": {
            "type": "firstValid",
            "attributes": {
                "values": [
                    {
                        "type": "dateFormat",
                        "attributes": {
                            "inputFormat": "now",
                            "outputFormat": "EPOCH_TIME_WIN32"
                        }
                    },
                    "null"
                ],
            }       
        }
    },
    "name": "accountExpires"
}

mgrant · March 31, 2025, 10:20pm

Hi Theja,

Awesome! Is it a matter of just adding it as one of the fields listed?

JackSparrow · April 1, 2025, 4:30am

Hi @mgrant ,

Yes, just use below API to add it to existing DISABLE policy.

schattopadhy · April 1, 2025, 10:31am

@mgrant for disabling at the same date you might need to use the before rule we have done that .however provisioning policy if you are using what error you are getting let me know?

Thanks
Shantanu

Sivakrishna1993 · April 1, 2025, 8:42pm

Yes you can develop transform and use the same for accountexpire attribute. Make sure you have to use in epoch time stamp for AD.

Thanks,
Siva.K

mgrant · April 11, 2025, 10:47pm

Awesome,

That worked.

I have another scenario. I have a use case where I want to move user’s to an email hold manually when moving the emailhold LCS. Because the emailHold and the terminated LCS both disable a user, when a user moved to the terminated LCS they move to the emailHold LCS. How do I ensure the manual LCS move to emailhold and the terminated LCS execute separately from each other?

Below is the provisioning policy in the AD source. I am using a BP rule and LCS rule to calculate LCS for terminated.

Is this creating a conflict?

{
    "name": "Disable Account",
    "description": null,
    "usageType": "DISABLE",
    "fields": [
        {
            "name": "AC_NewParent",
            "transform": {
                "type": "static",
                "attributes": {
                    "value": "OU=EmailHold,OU=,OU=,OU=,DC=agloan,DC="
                }
            },
            "attributes": {},
            "isRequired": false,
            "type": "string",
            "isMultiValued": false
        },
        {
            "name": "description",
            "transform": {
                "type": "static",
                "attributes": {
                    "disabledate": {
                        "type": "dateMath",
                        "attributes": {
                            "expression": "now",
                            "roundUp": true
                        }
                    },
                    "value": "EMailHold Deprovisioned on $disabledate "
                }
            },
            "attributes": {},
            "isRequired": false,
            "type": "string",
            "isMultiValued": false
        }
    ]
}