HTTP Request to move Disabled User to Different OU

Identity Security Cloud (ISC) ISC Discussion and Questions
, ,
1

Looking for assistance on a particular ask. We have a need to move a Disabled user (triggered by going into an inactive cloudlifecyclestate) to a different OU in an AD source. I’d like to avoid a provisioning rule or transform, so it’s simpler for us to change and keep in house, and not rely on support or an engineer to upload any rule changes. I have some HTTP request actions working already to remove groups in the AD sources, wondering if it’s possible to expand on this idea and use this to move to a separate OU as well?

1 Like
2

Hi @kdossen,

Welcome to the community!
I am not sure if we can do that via workflow, but I do have a suggestion. I think it’s better to handle this using the “Services Standard IdentityNow BeforeProvisioning Rule."

Check out this post to get more information on how to import the cloud rule to your tenant - Services Standard Before Provisioning Rule

But first, you can verify if the rule is in your tenant with the following API call,
https:///cc/api/rule/get/Services Standard IdentityNow BeforeProvisioning Rule

I am attaching the readme file, which shows all the things you can accomplish using that rule.

SSI BeforeProvisioning Rule - README.pdf (110.2 KB)

Also, if you are not able to import the cloud rule, you can request SailPoint, as they already have a working version of this rule. This will be a one-time thing; just open a support ticket, and they will immediately deploy the rule to your tenant.

Once the rule is in your tenant, it’s just a matter of patching it to the source and defining the actions. Examples are in the attached Readme file.

I hope this helps!

2 Likes
3

Hi Kevin,
You can use disable provisioning policy to move to disabled OU .Here is an example for disable provisioning policy,Once the LCS turns inactive it will disable all the accounts thereby disable policy triggers and it will move the accounts into disable OU.

{
        "name": "Account",
        "description": null,
        "usageType": "DISABLE",
        "fields": [
            {
                "name": "AC_NewParent",
                "transform": {
                    "attributes": {
                        "value": "OU=disabled,DC=test,DC=com"
                    },
                    "type": "static"
                },
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            }
        ]
    }

Thanks!!

5 Likes
4

@kdossen , to move the user for a new OU you can just use the Disable Provisioning Policy.

Put a Attribute in there called “AC_Newparent” and you can calculated it the way you want with transform , or if is fixed you can put a static value.

Transforms is not a thing that sailpoint needs to do , you can manage it and keep it simple :slight_smile:

Best!

2 Likes
5

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.