How to Create a workflow to successfully create an AD account for using a trigger condition (Start Date)

IdentityIQ (IIQ) IIQ Discussion and Questions
,
1

I am a beginner in IdentityIQ, please assist. - How Create a workflow to successfully create an AD account for the user depending on some condition, using a trigger condition (Start Date) to trigger the workflow. How Create a lifecycle event (Joiner) and how select the workflow that you have created and condition for event trigger (ex-Start Date).

2

HI @Abhivk ,

Please follow https://community.sailpoint.com/t5/Technical-White-Papers/Birthright-Provisioning/ta-p/78513 for incites on Life Cycle event which can help you configure birthrights and provision. In case you have specific question we might help.

3

Hello @Abhivk,

Go to your Workflow module, and create a workflow adding a trigger condition to check if the Start Date is today. You can use the following script:

Date currentDate = new Date();
if (identity.getAttribute("startDate").equals(currentDate.toString())) {
    return true;  // Trigger workflow
}
return false;

Finally add a Provisioning Task using the following beanshell:

SystemConfiguration adSystem = context.getSystemConfiguration("Active Directory");
ProvisioningTask task = new ProvisioningTask();
task.setSystem(adSystem);
task.setIdentity(identity);
task.setOperation(ProvisioningTask.OperationalAction.Create);
context.getProvisioningService().executeProvisioningPlan(task);

Let me know if that works

4

I always use RapidSetup workflows. I would recommend you read up on RapidSetup and do some experimenting. I have done this for dozens of clients reliably. For my own customization, I create a joinerDate (String, sorted, no source or target), and a leaverDate (same) identity attribute. In the create rule for the authorized source, I set joinerDate to “Not Set” and the leaverDate to “Not Set” as well as whatever algorithm is needed to set the identity name and initial password. Then I use those values of both joinerDate = Not Set and leaverDate = Not Set as my RapidSetup joiner trigger, then joinerDate startswith 20 and leaverDate = Not Set and inactive=true as my leaver trigger. Then I create a Post Joiner rule that sets the joinerDate to the current date (yyyyMMdd) and in the Post Leaver rule I set the leaverDate similarly.

But that doesn’t solve your delayed workflow issue. For that, consult Compass, search for “scheduling a workflow to run in the future” there. Best practice is to clone the RapidSetup Joiner workflow, not to modify the OOTB version, and add a step to do this provisioning on the user in the future. It’s actually best practice to never modify any of the OOTB workflows, always clone them and also never use the Business Process editor on any OOTB or cloned OOTB workflow. It will rewrite them and they won’t work properly. I stopped using the Business Process Editor 6 years ago.

As for the provisioning operation, it’s probably best to create a set of roles that can provision a default AD group to a user (I like to use something like All Users) and then in your custom workflow, assign that role to the user and then refresh the user. That way when you provision that role (and group) to the user, expansion will call the create operation.

If you are a beginner, I would not expect you to instantly understand all I just laid out. It normally takes about 18 months and 3 or 4 engagements to build the expertise for this kind of customization.

1 Like
5

Hi @Abhivk
Here is a simple approach

Create the Workflow something like – CreateADAccountWorkflow

  1. Go to Setup - Business Processes.
  2. Create New Workflow - Name it like: CreateADAccountWorkflow.
  3. Set Variables:
  • identity → Type: Identity
  1. Add Steps:
  • Start Step
  • Script Step (Name it: ProvisionADAccount)
    Paste the below script
  • End Step

Sample Script (ProvisionADAccount)

try {
    Identity identity = workflow.get("identity");

    ProvisioningPlan plan = new ProvisioningPlan();
    plan.setIdentity(identity);

    AccountRequest accReq = new AccountRequest();
    accReq.setApplication("Active Directory");  // Change to your exact app name
    accReq.setOperation(AccountRequest.Operation.Create);

    accReq.add(new AttributeRequest("ObjectType", ProvisioningPlan.Operation.Set, "User"));
    accReq.add(new AttributeRequest("cn", ProvisioningPlan.Operation.Set, identity.getName()));
    accReq.add(new AttributeRequest("sAMAccountName", ProvisioningPlan.Operation.Set, identity.getName()));
    accReq.add(new AttributeRequest("userPrincipalName", ProvisioningPlan.Operation.Set, identity.getName() + "@iiq.com"));
    accReq.add(new AttributeRequest("givenName", ProvisioningPlan.Operation.Set, identity.getFirstname()));
    accReq.add(new AttributeRequest("sn", ProvisioningPlan.Operation.Set, identity.getLastname()));
    accReq.add(new AttributeRequest("displayName", ProvisioningPlan.Operation.Set, identity.getDisplayName()));
    accReq.add(new AttributeRequest("password", ProvisioningPlan.Operation.Set, "Sample@123"));

    plan.add(accReq);

    Provisioner provisioner = new Provisioner(context);
    ProvisioningProject project = provisioner.compile(plan);
    provisioner.execute(project);

    return "AD account created for " + identity.getName();
} catch (Exception e) {
    log.error("Error in AD account creation: ", e);
    return "Error: " + e.getMessage();
}

Modify the Account Request accordingly based on requirement.

Create a Joiner Lifecycle Event

  1. Go to Lifecycle Events -Create New.
  2. Name: JoinerEvent
  3. Type: Rule
import java.text.SimpleDateFormat;
import java.util.Date;

try {
    String startDateStr = identity.getAttribute("startDate");
    if (startDateStr == null) return false;

    SimpleDateFormat sdf = new SimpleDateFormat("yyyy-MM-dd");
    Date today = sdf.parse(sdf.format(new Date()));
    Date startDate = sdf.parse(startDateStr);

    return startDate.equals(today);
} catch (Exception e) {
    return false;
}
  1. Link the Workflow to the Event

In JoinerEvent - Business Process. Select CreateADAccountWorkflow workflow, Save it.

1 Like
6

Try this workflow and Joiner import it

<!DOCTYPE Workflow PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<Workflow name="CreateADAccountWorkflow" type="Business Process" xmlns="sailpoint">
  <Variable name="identity" type="Identity"/>

  <Step name="Start">
    <Transitions>
      <Transition to="ProvisionADAccount"/>
    </Transitions>
  </Step>

  <Step name="ProvisionADAccount" type="script">
    <Script>
      <![CDATA[
      try {
          Identity identity = workflow.get("identity");

          ProvisioningPlan plan = new ProvisioningPlan();
          plan.setIdentity(identity);

          AccountRequest accReq = new AccountRequest();
          accReq.setApplication("Active Directory");  // Update with your actual AD application name
          accReq.setOperation(AccountRequest.Operation.Create);

          accReq.add(new AttributeRequest("ObjectType", ProvisioningPlan.Operation.Set, "User"));
          accReq.add(new AttributeRequest("cn", ProvisioningPlan.Operation.Set, identity.getName()));
          accReq.add(new AttributeRequest("sAMAccountName", ProvisioningPlan.Operation.Set, identity.getName()));
          accReq.add(new AttributeRequest("userPrincipalName", ProvisioningPlan.Operation.Set, identity.getName() + "@iiq.com"));
          accReq.add(new AttributeRequest("givenName", ProvisioningPlan.Operation.Set, identity.getFirstname()));
          accReq.add(new AttributeRequest("sn", ProvisioningPlan.Operation.Set, identity.getLastname()));
          accReq.add(new AttributeRequest("displayName", ProvisioningPlan.Operation.Set, identity.getDisplayName()));
          accReq.add(new AttributeRequest("password", ProvisioningPlan.Operation.Set, "Sample@123"));  // Change if needed

          plan.add(accReq);

          Provisioner provisioner = new Provisioner(context);
          ProvisioningProject project = provisioner.compile(plan);
          provisioner.execute(project);

          return "AD account created for " + identity.getName();
      } catch (Exception e) {
          log.error("Error in AD account creation: ", e);
          return "Error: " + e.getMessage();
      }
      ]]>
    </Script>
    <Transitions>
      <Transition to="End"/>
    </Transitions>
  </Step>

  <Step name="End" type="End"/>
</Workflow>

Joiner Event  :`<!DOCTYPE LifecycleEvent PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<LifecycleEvent name="JoinerEvent" xmlns="sailpoint">
  <Type>Rule</Type>
  <Rule>
    <![CDATA[
    import java.text.SimpleDateFormat;
    import java.util.Date;

    try {
        String startDateStr = identity.getAttribute("startDate");
        if (startDateStr == null) return false;

        SimpleDateFormat sdf = new SimpleDateFormat("yyyy-MM-dd");
        Date today = sdf.parse(sdf.format(new Date()));
        Date startDate = sdf.parse(startDateStr);

        return startDate.equals(today);
    } catch (Exception e) {
        return false;
    }
    ]]>
  </Rule>
  <BusinessProcess>CreateADAccountWorkflow</BusinessProcess>
</LifecycleEvent>
`
7

HI Abhishek,

To create AD account based on users start date follow the below steps:

  1. Develop a Workflow to create AD account with all mandatory attributes(If you have create provisioning policy form in your application no need to pass attributes)
  2. Create Lifecycle Event in that select Event type as Rule, and define the logic based on your business requirement, and select the Workflow which you created under the Business Process Drop down.
  3. Go to Tasks, Open the Refresh Identity Cube task, make sure the Process Events Option is enabled, and specify the Identity which you want create the AD account, click save and execute.

Let me know if you need any help

8

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.