Hi! I would like to capture the Identity Enable/Disable menu action inside a workflow (not the cloudLifecycleStatus change event), is that possible?
By disable/enable I mean:
As I saw via API, it alters the value of
cloudState and identityStatus value (but lifecycleState attribute remains).
I tested with an Identity Attribute Changed trigger without luck. Any ideas will be appreciated.
Hi @jsosa ,
Try making use of internalCloudStatus, located under attributes of Get Identity action.
Hi @jsosa ,
I don’t think you’ll be able to do this through an identity attribute trigger as identityStatus & internalCloudStatus aren’t identity attributes.
You could utilise the below URL which would get the identities with a specific cloud status (Enabled/Disabled).
Here is an example using the filters:
https://sailpoint.identitynow.com/beta/identities?filters=cloudStatus eq “DISABLED”
Thanks,
Dan
Hello @jsosa,
I have been down this rabbit hole before, and concluded that it is not possible. I even tried altering the internalCloudStatus to make it searchable and what-not, to no avail. No matter what I did, neither of these (internalCloudStatus, identityStatus, status, cloudStatus) were ever a part of the Identity Attribute Changed JSON payload.
What do you want to accomplish in this use-case?
Hi @dangoldston24 @GOKUL_ANANTH_M thanks for the answer. My problem with this workaround is that client needs to capture event and reacts inmediatly, and scheduled workflows don’t let be triggered with intervals less than 1 hour. They have several lifecycle states that are mapped against some HR values, but goal is if they manually selects the disable identity, perform an automatic disable of all accounts.
Hi @filip_johansson thanks for confirmation! There are several lifecycle states mapped to HR data (active, inactive, vacation, medical leave, etc). But they need somewhing they can request, or perform (as the disable identity action), that “overrides” whatever comes from HR and automatically disables accounts (desirable something with a justification).
I have tried several approaches. On is having a role, which is monitored by a workflow. When role is assigned to some user, it performs an api call to update some delimited file account attributes that acts as a flag. This actually works fine as a flag to let HR status propagate or not. Problem is that the scheduled workflow that monitors identities can run at least every 1 hour, and they need this funcionality to be more “instantaneous” (I originally wanted a trigger that could react to a role assignament/revoke but I could not capture this event).
Other approach is having some form. Problem here is that only admins can visualize it as a widget, and is not the case of people who will perform this access block.
So I am trying to capture this event, thought that if possible, it can perform blocks. I will trying more options.
Hi @jsosa,
I have an idea of how you can get around this.
When an identity is disabled or enabled, it doesn’t affect the accounts associated with that identity it just stops them from signing into IDN. To address this, you can create two new lifecycle states: one for disabling and one for enabling. Within the provisioning section, specify the accounts you want to disable or enable when a user transitions into these lifecycle states. When a user moves into one of these states either automatically or manually you can trigger an identity attribute change in a workflow based on the lifecycle state. Retrieve the identity using the “get identity” action, and then use the provided API via an HTTP request to disable or enable the identity accordingly.
Thanks,
Dan
Hi Daniel! Thank you for idea! I already have an extra state (in fact I have 1 active state, 3 states that disable accounts -vacations and medical leave (short) - and terminated, and let’s call it “manually deactivated”). Manually Deactivated turns all accounts to disabled. Problem is that at following aggregation from RH, it will prevail what comes from RH. That’s why I am tring to find some flag that can use in the Lifecycle transform to let prevail the manual assigned state.
At now we found a workaround. I have now a workflow that triggers reacts to the Identity Attributes Changed trigger, when it is going into the “Manually Disabled” state. Then it performs an API call to RH so ISC inform to send some flag which can be captured by the LCS transform.
This will work, but if something arises that can prevent RH from make changes should be welcome.
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.
