IdentityNow - Active Directory - Transfer use case

Identity Security Cloud (ISC) ISC Discussion and Questions
,
1

Hi all,

I hope this message finds you well. I am currently working on a project involving two sources that represent two domains under the same forest:

  • Source 1: AD Domain 1
  • Source 2: AD Domain 2

In the current setup, the following rules apply during the joiner process:

a) If an identity has the identity attribute “company”=“A”, an active account is automatically created on Source 1 under the OU=Active User of AD Domain 1.
b) If an identity has the identity attribute “company”=“B”, an active account is automatically created on Source 2 under the OU=Active User of AD Domain 2.

I am seeking suggestions on how to implement the following flow for a transfer case where the identity attribute “company” of a user changes from “A” to “B”. The required steps that must be satisfied to correctly implement the transfer case are:

  1. The account must be disabled on Source 1 (AD Domain 1) and moved from the OU=Active User to the OU=Disabled User of AD Domain 1.
  2. A new account must be created for the user in the OU=Active User of Source 2 (AD Domain 2).

What is the best way to implement the aforementioned steps 1 and 2?

Thank you in advance for your support and suggestions.

Best regards,
Paolo

2

Hi Paolo,

You can use Workflow.

  1. Use Identity Attribute Change Trigger if Company Change from A to B
  2. Get that Identity and Disable the current AD Domain Account by using manage Account Action
  3. And Add AD Domain2 access to the same user.

You can also use Powershell scripts based upon the value change

Thanks,
Siva.K

3

Hi,

Thank you for your response. Your suggestion makes sense to me. However, I have an additional requirement:

For step 2, besides disabling the account, I also need to move the user from the OU=Active User to the OU=Disabled User of AD Domain 1. For step 3, I need to create the user in the OU=Active User of AD Domain 2.

Can I still proceed with a workflow for these additional conditions?

Thanks,
Paolo

4

Hi Paolo,

To move User OU to Disable OU you can configure Disable Account Provisioning Policy in SailPoint AD Source. Once user account disabled it automatically move to Disable OU.

Thanks,
Siva.K

5

You can also write before Provisioning rule to move the OU

6

Hi,
one last question: Can I set Active Directory account password in a beforeprovisioning rule? If so, how?

Thanks in advance for your support.
Paolo

7

You can set it as part of the CREATE process.

        {
            "name": "password",
            "transform": {
                "type": "identityAttribute",
                "attributes": {
                    "name": "firstPassword"
                }
            },
            "attributes": {
                "cloudRequired": "true"
            },
            "isRequired": true,
            "type": "secret",
            "isMultiValued": false
        },

I have a transform the creates it and sets it as an Identity attribute

8

Hi Paolo,

As Phil said you can use create account provisioning policy for setting password. if you want to customize the password then you need to write generator rule based upon your password requirements and customize New Account Provisioning email template with password setup instructions for AD Source.

Best Regards,
Siva.K

9

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.