Hi all,
I’m trying to add a filter in ROLE criteria to check account status of an AD Account/source, looks like role criteria is not able to determine account status and provisiong access to disabled AD accounts. How can we overcome this ? I can think of transform - identity attribute and add that in the filter. is there any othet way to acheive this. Thanks in advance.
I believe you should be able to add the attribute UserAccountControl to your AD Source Schema and then you should be able to filter on account attribute in your role looking at that attribute:
Hi @Irshaad_Laher_WS , thanks for the response.
Here is the issue, looks like Account attribute filter is only working for ACTIVE AD accounts but not disabled accounts(I want to exclude few identities in the role provisiong but account attributes are not being filtered as it is disabled).
In that case I think your original idea of creating a transform to look at the account attribute, you can do a conditional check or a lookup transform based on the account attribute and populate the value as isDisabled or isEnabled and then use this identity attribute on your filter in your role config.
Hope that helps
Hi Prashanth,
Strange that account attribute is not being validated for Role criteria on disabled accounts. You can give a try having a condition on distinguishedName with contains filter on OU=Disabled, if your disabled accounts move to a disabled OU.
We have similar requirement, but we also achieved it by using identityAttributes which uses a transform internally.
Regards,
Uday Kilambi
I did something like this. As always test thoroughly in your environment
"adStatus": {
"attributes": {
"values": [
{
"attributes": {
"sourceName": "Active Directory",
"attributeName": "IIQDisabled"
},
"type": "accountAttribute"
},
{
"attributes": {
"value": false
},
"type": "static"
}
],
"ignoreErrors": "true"
},
"type": "firstValid"
}
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.