How to disable old AD and enable new AD in rehire scenario

Identity Security Cloud (ISC) ISC Discussion and Questions
, , ,
1

Hi developers,

Currently, I have onboarded 2 sources of Active Directory in SailPoint IDN. Each are different domains.

Some users move from AD source A to AD source B. In my current configuration, SailPoint will create a new AD account after the user moved to AD source B.

The current challenge I’m facing is at enabling/disabling the AD accounts. In the scenario above, the account in AD source A must be disabled after the user moved to AD source B.

Currently:
Account in AD source A: Remains active
Account in AD source B: Became active

Expected outcome:
Account in AD source A: Must be disabled
Account in AD source B: Become active

Additionally, I don’t have workflow feature.

Can anyone suggest how can I achieve this?

2

If both domain controllers are in the same network, you might want to write a AfterCreate native rule that will trigger a PowerShell script to disable the account in AD

3

Hi @jeev1
Greetings for day!

As suggested by @iamnithesh write after create rule and in which will trigger PowerShell script in that add below code to disable the user.

$nativeIdentity = $requestObject.NativeIdentity
$User = Get-ADUser -Server 'FQDN of AD DC' -Filter "distinguishedName -eq '$nativeIdentity'" -Properties *
$sAMAccountName = $User.sAMAccountName
Disable-ADAccount -Identity $sAMAccountName

Let me know if it is working.
Thank you!

3 Likes
4

Thank you @iamnithesh @suraj_gorle

There is already native script in place for both sources. Each source have its own native rule.

However in this scenario, User A holds AD account in both source A & source B. The old AD account still correlated with the identity. Enable/Disable operation still happens for both accounts based on the identity state.

Is it possible to check before the AD accounts change state in AD?

Expected is if the email domain in identity attribute of User A changed to source B, then proceed to enable AD account for source B and source A’s AD account to disable even the identity state is in Active.

Thank you!

5

Hi @jeev1

Yes this is possible please write before provisioning rule to achieve this scenario.

Thank you.

6

Hi @jeev1

Thank you for the query.
I can think of below approaches to handle this scenario assuming there is no identity attribute present in ISC to determine whether the account should be moved or not.

  1. Easiest would be i believe to use the after connector rule in source B and source A. Here you can store the information of other AD domain and then perform a check from source B whether the account is present in domain A or not. If it does then you can disable the account.
    You will also need to ensure here in source A that it is not triggering the enable account operation so you can check whether account should be disabled and keep it disabled. So in this rule also you will need to set-up configuration for the domain information for source B.

  2. You can also try to onboard a new LCS something like adSourceADisabled which should work same like active (depends actually on use-case) and then just add source A to disabled state. I think if identity remains the same after the move then this would be easiest to achieve. Make sure to handle the terminated users properly here and if there are birthright roles based on LCS settings then those needs to be updated properly. Otherwise i think this could be easiest to achieve and maintain. You can check if the identity has both accounts A and B, then keep it in this state. And then add source A for disabling in this LCS.

  3. Workflow can also be used i believe which will trigger to perform the disable action but again native rules needs to be checked if they are not enabling the accounts.

  4. You can also use the before provisioning rule as the fellow developers mentioned.

I hope these approaches help and please let us know if you have any query.

Regards
Vikas.