Get Account attribute "Password" in the Workflow

Identity Security Cloud (ISC) ISC Discussion and Questions
, ,
1

Hi All,

I created a workflow that will send the password to the newly created user. Right now, we stored the password in the identity attribute to fetch it in the workflow. But since the password is stored in the identity attribute, password will be exposed in UI. I’m trying to hide the “password” identity attribute, but it seems like not possible?

That’s why I am trying to fetch the password directly in account attributes from my workflow. I tried to use the “Get Account” Action in the workflow and select the method “By Account Data” to specify which source I’m trying to get the account attributes.

image
image736×937 91.3 KB

Then, when I select the get Accounts in my “HTTP Request” action, I can only see “accounts” not the list of account attributes.

image
image1030×642 28.1 KB

Looking for guidance. thanks

2

A sample JSON from the Get Accounts action would look like below:

Using $.getAccounts.accounts[0].attributes.attributeName you can get the value of required account attribute


{
    "accounts":[
        {
            "id":"id12345",
            "name":"aName",
            "created":"2019-08-24T14:15:22Z",
            "modified":"2019-08-24T14:15:22Z",
            "sourceId":"2c9180835d2e5168015d32f890ca1581",
            "identityId":"2c9180835d2e5168015d32f890ca1581",
            "attributes":{
                {your Source account schema attributes will be listed here}
            },
            "authoritative":true,
            "description":"string",
            "disabled":true,
            "locked":true,
            "nativeIdentity":"string",
            "systemAccount":true,
            "uncorrelated":true,
            "uuid":"string",
            "manuallyCorrelated":true,
            "hasEntitlements":true
        }
    ]
}
3

Hi sharvari,

Thank you for your inputs, but sadly “password” account attribute can’t get using get accounts as well.

4

Yes, Sailpoint never stores or fetches clear text password so you won’t be able to get it. I may have missed to read that you were trying to fetch password. The Get Accounts won’t work for passwords.

5

Hi @Rpalos

I believe your requirement is to send initial password to the newly created user. If yes, follow the below approaches.

  1. I haven’t seen using the password as an identity attribute as it is going to be plain text in SailPoint world. However I have seen it using as a plain text in Microsoft Identity world. We will enable force user to change password during first login.

We can debate about this.

  1. SailPoint has given recommendations for initial password implementation.

Option 1 - Static Password
Option 2 - Dynamic ’Known’ Password
Option 3 - Dynamic ’Unknown’ Password and Password Reset

For more information,
https://community.sailpoint.com/t5/IdentityNow-Articles/Best-Practices-for-Provisioning-with-Passwords-in-IdentityNow/ta-p/75459

You can choose whichever approach you feel that is good for your organization. If you ask me, I would recommend below approach.

Known Password Generation:
Generate password in a known format using identity attributes (for example fist 2 letters of Firstname, last 2 letters of employee ID, last 2 letters of last name, some static string…etc)

Notification:
a. Use workflow to send initial password email notification. Since you know the password format, you can re-generate it.
b. Use AD Native Rules, In After Creation Rule build PowerShell script to re-generate password (you have all the data you need in AD Account Request) and send email/SMS.

Since we cannot decrypt in IDN, the process is bit complex compared to IIQ. I have implemented them above approaches couple of times for my clients.

Hope this helps you :slight_smile:

Readers, If you have a better approach, feel free to post here.

Thanks
Krish

6

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.