Hello team,
Regarding the following doc, Is it possible to filter the aggregated groups for specific accounts ? I mean not filtering groups for the source.
IdentityNow Account Filtering during Account Aggregation - Compass
Thank you,
Hello @timahm
Are you saying that you want to filter the accounts based on what group they are part of on the source?
Hello @filip_johansson ,
Thank you for your answer.
Indeed, I don’t want aggregating entitlements for some accounts (when identities are terminated). I mean, having some accounts without entitlements in ISC even if they have it in source.
@timahm Is it a webservice connector? if yes then you can use afterOperation Rule to achieve this.
Hello @shekhardas1825,
Thank you for your answer. Indeed, this is for Workday source.
Hi @timahm
Are you using Workday source or a Webservices source??
if it is webservices you can use after operation rule to go through the response data and empty the groups attribute for the specific accounts
Thanks
Hello @Sriindugula,
Thank you for your answer. Indeed, we’re not using webservices but Workday source.
Hi @timahm,
Yes you can apply filter string, based on the specific value from the aggregated attributes.
So you want all accounts to be brought in during account aggregation, but you want the entitlements for accounts associated with identities that are terminated to be empty?
Account Filter is used to filter out accounts completely during the Account Aggregation process.
In a WebServices connection, you could write an After Operation Rule to remove that data, if the account aggregation gives you enough information to say if a person is terminated or not (i.e. you wouldn’t be able to check the Identity lifecycle state as that isn’t part of the account aggregation.
But since you are using the Workday connector, I do not know of a way to remove this data via an OOTB connector. I would recommend contacting Expert Services.
Have you thought about removing the entitlements as part of your offboarding process so that you don’t need to be concerned with hiding them?
1 Like
Thank @Carlatto for confirming my understanding.
Indeed, the entitlements revoke fails when accounts are disabled (the deactivation process is managed in Workday source. The correct process should be to remove the entitlements from the source once accounts are disabled. However, not always done). To solve this, I’m thinking to exclude these entitlements from the automated revoke (by workflows). However, we get failures if the revoke is done by certification.
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.