Leaver to ensure all user accounts are disabled

IdentityIQ (IIQ) IIQ Discussion and Questions
, ,
1

Hi all!
The requirement was To implement a Leaver Workflow Automation that ensures all user accounts (both created through SailPoint IdentityIQ and manually in Active Directory) are removed or disabled when a user leaves the organization. This includes:

  1. Automatically detecting and removing all accounts created manually in Active Directory (AD).
  2. Moving the deleted accounts to a Disabled Users OU in AD.
  3. Ensuring the process is integrated with SailPoint IdentityIQ’s leaver workflow.

For this i have an ou named DisabledUsers in my Ad and also i have made one leaver as
import sailpoint.object.Identity;
import sailpoint.object.ProvisioningPlan;
import sailpoint.object.ProvisioningPlan.AccountRequest;
import sailpoint.object.ProvisioningPlan.AttributeRequest;
ProvisioningPlan plan = new ProvisioningPlan();
Identity identityObject = context.getObjectByName(Identity.class, identityName);
AccountRequest acctReq = new AccountRequest();
acctReq.setOperation(AccountRequest.Operation.Disable);
acctReq.setApplication(“Active Directory”);
acctReq.setNativeIdentity(“cn=” + identityName + “,OU=TempOu,DC=IIQAD,DC=com”);

AttributeRequest attrReq = new AttributeRequest(“AC_NewParent”, ProvisioningPlan.Operation.Set, “OU=DisabledUsers,DC=IIQAD,DC=com”);
acctReq.add(attrReq);
plan.add(acctReq);
return plan;

But i am not sure how can i achieve the use case can it be while fetching employee id of that specific account or what for instance if we take email how can we achieve this

2
  1. Run the AD account aggregation task to pull in all accounts (both manual and IIQ-created). With correlation configured, IIQ will link these accounts to identities.
  2. Set up a Lifecycle Event (LCE) for Leaver:
    • Create a trigger rule, e.g., compare endDate with today’s date and return true if they match.
    • The Identity Lifecycle Workflow specified in this Leaver LCE will activate.
  3. Utilize the out-of-the-box (OOTB) Lifecycle Event - Leaver Workflow. Construct the provisioning plan (using the provided code) and assign it to the plan variable. and follow the Lifecycle Event - Leaver workflow steps.

Hope it works!

3

The requirement is i have two accounts in my active directory one is created through joiner and one is created manually both have different names but they are given a common attribute such as email or phone number

i need to trigger a leaver event which disables these accounts like disable all accounts which are present in sailpoint with same email or phone number.

like for eg if any account has email as [naveen.pandey@demoexample.com] so each identity using this email should be disabled and moved to a disabled OU
how and what approach shall i follow please can anyone help.

4

Hi,

I think your first step should be to set up a correlation configuration, making sure that the manually created accounts are correlated properly to the identity cube. If you want to do this with a phone number or e-mail address, please make sure the identity attribute is searchable, so you can select it in the correlation configuration. Once you have all the accounts linked to the same identity cube, you can start setting up a workflow or rule that disables these accounts.

Do you need help setting up that configuration?

Kr,
Pieter

6

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.