I’ve come across a weird case that I think isn’t possible, but wanted to see if anyone has found a solution for this.
I’m trying to create 1 certification for multiple Microsoft SQL Server sources and I want to exclude disabled accounts from the campaign. I recognize the two most common ways of doing this is by filtering based on the Identity lifecycle state and also using a campaign filter to include only the account attributes that show as “ACTIVE” or “ENABLED”, etc…
Problem with this is the source I’m working with does not have an account attribute that indicates the status of the account, but it has IIQDisabled in the background (I can see accounts are disabled/enabled in the UI). I’m assuming in the backend there is an is_disabled flag, but this OOTB connector does not display the actual account attribute for me to do a filter on.
So I’m wondering if anyone has any magic or customization that I haven’t thought of to make this possible. Thanks in advance!
Hey @trettkowski - If you try an exclusion filter with Criteria Type Account Attribute, then the source, you are saying that IIQDisabled does not show in the Attribute list? If not, they you may have to add it to the schema with a SQL query if you know what value(s) can determine what it should be. ISC is definitely looking at some background value if it is displaying it in the UI.
Unfortunately, IIQDisabled is not included in the account attributes. Since this is an out of the box Microsoft SQL Server connector, it’s also not possible to add it to the schema. If you do add it, the aggregations will fail.
You gave me the idea to see if I could find the attribute it’s doing this calculation on and apparently it’s is_disabled. I added that to the schema and the aggregations work and it pulls it in. So it looks like I’ll be able to use the campaign filter after all.
Great suggestion by @ryan_toornburg to get your to is_disabled.
Do follow up and let us know if you were able to get this working for multiple sources and if there were any other issues you ran into. I feel others may have similar issues.
Yes, this worked! I ended up creating a script to update the source schema’s as well as the campaign filter as typing them all manually was painful, but after doing that and running the campaign via the API, it seemed to work really well!
So does your script add all the specific access items you want to certify to the Campaign Filter and then use a query to get the users? I didn’t see a reference to the Campaign Filter in Mark’s suggestion, but he does mention adding the identities to the Search Campaign individually from the results of the query
It uses a query to get all the access associated with the sources, then uses the campaign filter to only bring in the accounts with the is_disabled == false
Here is my payload:
$CampaignPayload = @{
name = "$sourceName Access Review - Status: Active - $(Get-Date -Format 'yyyy-MM-dd')"
description = "Filtered campaign for $sourceName sources via PowerShell script."
type = "SEARCH"
searchCampaignInfo = @{
type = "ACCESS"
query = "source.name:" + $sourceName
reviewerType = "MANAGER"
}
filter = @{
id = ""
type = "CAMPAIGN_FILTER"
name = "Remove Disabled Accounts - MS SQL"
}
schedule = @{
type = "ONCE"
}
} | ConvertTo-Json -Depth 10
Nice. Does it run individually for each source, or were you able to get it to combine users from all sources so you had a single certification? Or did I misunderstand your initial requirements?
The searchCampaignInfo section might be a little misleading and may look like I’m only using one source for the access items, but that $sourcename variable actually has the word SQL in it. Thankfully all of my SQL Server Sources have the name SQL somewhere in the name so that search query picks them all up when doing that query, so all SQL related sources are included
