Currently when an AD Account is provisioned there is a text file that gets created when an AD account is deprovisioned that gets saved at a specific file location on our network. When a user is hired we have a PowerShell script that executes and references the text file so we do not reproduce usernames. These historical usernames go back years. During provisioning with the Workday Source as the Source of Truth we would like IdentityNow to be able to reference these historical usernames, when provisioning a new user, even if the Identity has been deleted from Active Directory and IdentityNow. Does IdentityNow have the ability to reference the historical deprovisioned usernames that have been placed on this txt file years back to present?
Interesting use case, I have seen this implementation in other tools not yet in SailPoint.
If identity is not deleted then it is easy to check the username availability.
So to summarize, we need to check samAccountName, UPN, Email and DN I believe.
I think OOTB can check the availability in IDN DB and in AD only. We need to see if anything else,
Custom approach:
I tried to use Connector Before Create Rule, where we can edit the attribute values using some PowerShell scripts in IQ server before provisioning, but it didn’t work for me. The Rule was triggered but it didn’t update the attribute. May be you can give a try.
What if we have all the usernames in a CSV file, create a source in IDN. Use Attribute Generate Rule to generate the attribute values and check uniqueness in this CSV file source.
Awesome! Thanks Krishna. If CSV is a route to go perhaps we can have the prior usernames from years back loaded on the Source and when an AD account is deprovisioned in IDN have the username populated in the Source. Once populated possibly have our before provisioning rule scan the source for current usernames. This is a good start for our experts to begin.
This is what we do. We have a csv source that’s basically “every username we’ve ever used”
Whenever a new identity is created, I have a process in servicenow that watches for the account to be created in AD, then it grabs the samaccountname and inserts it into the csv source
Hi Mark - this sounds in line with our use case. 2 QQ: when someone is onboarded do you have logic that scans or references the usernames in the csv source during provisioning before creating an identity? Is the CSV source authoritative?
Outstanding! This is exactly what we want to do. Do you have any Transforms or Custom Provisioning Rules tied into the custom integration with SNOW to trigger the action on the CSV source with the usernames?
Context: We use ServiceNow for this onboarding process because there are non-IGA actions that need to take place, IDN is just the trigger mechanism.
We utilize both the Identity Created and Identity Attributes Changed event triggers to start this process. New identity creation is self-explanatory, but Identity Attributes Changed detects LCS changes that would indicate the person is a rehire under the same personnel number.
Both triggers call into a ServiceNow Scripted REST endpooint that handles the request payload and generates a Service Catalog request for the user onboarding. The workflow then watches the invocations on a subscription to another Identity Attributes Changed trigger, this one listening for changes in the username. If it can’t find an event in that subscription (which will happen for rehires), it queries the identity and ensures attributes.uid is not numerical (because we have a transform that sets it to the personnel number if an AD username has not yet been defined).
If both the AD username and email address have been set, then it moves on to the step where it checks the CSV source to see if that username exists in that source. If it does not, it inserts an entry for the created username (most often with new identities).
Thanks for the full context. This paints the complete picture for me and I know now what approach we can take to make this happen in our environment. This is great information Mark. You are a lifesaver my friend!!!