Which IIQ version are you inquiring about?
8.2
There are a few way to do this:
Create a lifecycle event with “create” trigger. This will trigger every time identity is created. Then it’s other way around, You create a role with AD group in it and manually assign the the role to the new identity. you can use provisioning plan with “assignedRoles” as attribute and role name as value.
Or you could just create a birthright role (role with assignment rule that matches every active identity) with IT role that contains AD group that all users belong to. This way there is no need for the joiner workflow.
Either way you will need a business Role and IT role with AD group like domainMembers or similar, that all identities are member of.
You can create IT Role with a provisioning plicy that would only create AD account too.
The decision depends on many factors:
- Will there be anything else in joiner. Now or in future.
- How will the leaver look like
- Will everybody get AD or only some identities.
- Are there any common AD groups for everybody.
So each one of the above items is a candidate for dedicated code and configuration.
If you provide us a bit more information community may be able to suggest more detailed option that suits you environment better.
2 Likes
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.