Generating the password on account request

IdentityIQ (IIQ) IIQ Discussion and Questions
1

Hi Team,

When user request for an entitlement(AD) where User does not have any account on the AD, account needs to be created on Active Directory and entitlemetn along with the password and the SMS to be sent to the user with the initial password.

does this changes in LCM Provisioning workflow?

Please advise.

Regards,
Ravi.

2

Hi @kolipakularaviturnkey ,

This requirement can be handled in two ways: by using an After Provisioning Rule or by adding custom logic directly into the LCM Provisioning Workflow.
Before proceeding with either approach, it’s essential to ensure that the password field is properly defined within the provisioning policy for the Active Directory (AD) application. This step is crucial to ensure that the password is correctly generated and passed through the process.

  1. Using After Provisioning Rule:
  • In this approach, you can configure the After Provisioning Rule to detect the type of operation from the provisioning plan. If the operation is a “Create” operation, you can extract the password from the attribute request.
  • Once the account request is successfully committed (i.e., the account is created in the Active Directory), the rule can trigger an action to send an email to the user, containing the initial password. This ensures the user receives their login credentials securely.
    Please refer the after provisioning rule.
  import java.util.Map;
  import java.util.HashMap;
  import sailpoint.object.Identity;
  import sailpoint.object.EmailOptions;
  import sailpoint.object.EmailTemplate;
  import sailpoint.tools.GeneralException;
  import sailpoint.object.ProvisioningPlan; 
  import sailpoint.object.ProvisioningResult;
  import sailpoint.object.ProvisioningPlan.AccountRequest; 
  import sailpoint.object.ProvisioningPlan.AttributeRequest;
  import org.apache.commons.logging.Log;
  import org.apache.commons.logging.LogFactory;


  Log log = LogFactory.getLog("rule.afterProvisioningRule");
  log.debug("Entering After Provisioning Rule");
 

  String email = "";
  String defalutEmail = "";
  String plainPassword = "";
  String usersAMAccountName = "";
  Identity identity = null;

  log.debug("Plan Source " + plan.getSource());
  if (plan != null && plan.getSource().equals("LCM")) {
    ProvisioningResult provisioningResult = plan.getResult();
    trackingID = plan.getTrackingId();
    identity = plan.getIdentity();

    if(identity != null){
      log.debug("Identity " + identity);
      String userEmail = identity.getEmail();

      log.debug("userEmail " + userEmail);
      for (AccountRequest accountRequest : plan.getAccountRequests("Active Directory Accounts")) {
        ProvisioningPlan.AccountRequest.Operation op = accountRequest.getOperation();
        if ((op != null && accountRequest.getOperation().equals(AccountRequest.Operation.Create) || (op != null && accountRequest.getOperation().equals(AccountRequest.Operation.Enable)))){
          log.debug("Operation " + accountRequest.getOperation());
          log.debug("status " + accountRequest.getResult().getStatus());

          AttributeRequest attrsamAccountName = accountRequest.getAttributeRequest("sAMAccountName");
		  
		  
		  AttributeRequest attrReq = accountRequest.getAttributeRequest("password");
          if (null != attrReq) {
          String encryptedPassword = (String) attrReq.getValue();
          plainPassword = context.decrypt(encryptedPassword);
          log.debug("AD P After Provisioning Rule plainPassword " + plainPassword);
          }
		  
          if(null != attrsamAccountName) {
            usersAMAccountName = (String) attrsamAccountName.getValue();
            log.debug("sAMAccount Name from the provisioning rule : " + usersAMAccountName);
          }

          if(accountRequest != null && accountRequest.getResult().getStatus().equalsIgnoreCase("Committed")){

            String identityRequest = plan.get("identityRequestId").toString();
            log.debug("identityRequest of the user from the privilege After Provisioning : "+identityRequest);

            EmailTemplate createTemplate = context.getObjectByName(EmailTemplate.class, "Active Directory PH Accounts Joiner AD Account Creation Notification");
            EmailOptions options = new EmailOptions();
            options.setTo(userEmail);

            Map args = new HashMap();
            args.put("password",plainPassword);
            args.put("identity",identity);
            args.put("samAccountType",usersAMAccountName);
            args.put("userReqID",identityRequest);
            options.setVariables(args);
            context.sendEmailNotification(createTemplate,options);
          }
       
        }    
      }
    }
  }
  1. Using LCM Provisioning Workflow:
  • Alternatively, you can modify the LCM Provisioning Workflow itself. After the account creation process is successfully completed, you can introduce an additional step to send the password directly to the requester.
  • In this step, you would define an email template and logic to retrieve the generated password, then send it to the user.
5 Likes
3

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.