I created a workflow that will send the password to the newly created user. Right now, we stored the password in the identity attribute to fetch it in the workflow. But since the password is stored in the identity attribute, password will be exposed in UI. I’m trying to hide the “password” identity attribute, but it seems like not possible?
That’s why I am trying to fetch the password directly in account attributes from my workflow. I tried to use the “Get Account” Action in the workflow and select the method “By Account Data” to specify which source I’m trying to get the account attributes.
Yes, Sailpoint never stores or fetches clear text password so you won’t be able to get it. I may have missed to read that you were trying to fetch password. The Get Accounts won’t work for passwords.
I believe your requirement is to send initial password to the newly created user. If yes, follow the below approaches.
I haven’t seen using the password as an identity attribute as it is going to be plain text in SailPoint world. However I have seen it using as a plain text in Microsoft Identity world. We will enable force user to change password during first login.
We can debate about this.
SailPoint has given recommendations for initial password implementation.
You can choose whichever approach you feel that is good for your organization. If you ask me, I would recommend below approach.
Known Password Generation:
Generate password in a known format using identity attributes (for example fist 2 letters of Firstname, last 2 letters of employee ID, last 2 letters of last name, some static string…etc)
Notification:
a. Use workflow to send initial password email notification. Since you know the password format, you can re-generate it.
b. Use AD Native Rules, In After Creation Rule build PowerShell script to re-generate password (you have all the data you need in AD Account Request) and send email/SMS.
Since we cannot decrypt in IDN, the process is bit complex compared to IIQ. I have implemented them above approaches couple of times for my clients.
Hope this helps you
Readers, If you have a better approach, feel free to post here.