Hi all!
The requirement was To implement a Leaver Workflow Automation that ensures all user accounts (both created through SailPoint IdentityIQ and manually in Active Directory) are removed or disabled when a user leaves the organization. This includes:
Automatically detecting and removing all accounts created manually in Active Directory (AD).
Moving the deleted accounts to a Disabled Users OU in AD.
Ensuring the process is integrated with SailPoint IdentityIQ’s leaver workflow.
For this i have an ou named DisabledUsers in my Ad and also i have made one leaver as
import sailpoint.object.Identity;
import sailpoint.object.ProvisioningPlan;
import sailpoint.object.ProvisioningPlan.AccountRequest;
import sailpoint.object.ProvisioningPlan.AttributeRequest;
ProvisioningPlan plan = new ProvisioningPlan();
Identity identityObject = context.getObjectByName(Identity.class, identityName);
AccountRequest acctReq = new AccountRequest();
acctReq.setOperation(AccountRequest.Operation.Disable);
acctReq.setApplication(“Active Directory”);
acctReq.setNativeIdentity(“cn=” + identityName + “,OU=TempOu,DC=IIQAD,DC=com”);
But i am not sure how can i achieve the use case can it be while fetching employee id of that specific account or what for instance if we take email how can we achieve this
Run the AD account aggregation task to pull in all accounts (both manual and IIQ-created). With correlation configured, IIQ will link these accounts to identities.
Set up a Lifecycle Event (LCE) for Leaver:
Create a trigger rule, e.g., compare endDate with today’s date and return true if they match.
The Identity Lifecycle Workflow specified in this Leaver LCE will activate.
Utilize the out-of-the-box (OOTB) Lifecycle Event - Leaver Workflow. Construct the provisioning plan (using the provided code) and assign it to the plan variable. and follow the Lifecycle Event - Leaver workflow steps.
The requirement is i have two accounts in my active directory one is created through joiner and one is created manually both have different names but they are given a common attribute such as email or phone number
i need to trigger a leaver event which disables these accounts like disable all accounts which are present in sailpoint with same email or phone number.
like for eg if any account has email as [[email protected]] so each identity using this email should be disabled and moved to a disabled OU
how and what approach shall i follow please can anyone help.
I think your first step should be to set up a correlation configuration, making sure that the manually created accounts are correlated properly to the identity cube. If you want to do this with a phone number or e-mail address, please make sure the identity attribute is searchable, so you can select it in the correlation configuration. Once you have all the accounts linked to the same identity cube, you can start setting up a workflow or rule that disables these accounts.
Thanks Pieter for your reply I have written one rule as :
import sailpoint.api.SailPointContext;
import sailpoint.object.Identity;
import sailpoint.object.ProvisioningPlan;
import sailpoint.object.ProvisioningPlan.AccountRequest;
import sailpoint.object.Filter;
import sailpoint.object.QueryOptions;
import sailpoint.tools.GeneralException;
import sailpoint.tools.Util;
import java.util.List;
public class LeaverTriggerRule {
public static ProvisioningPlan execute(SailPointContext context, Identity identity, Map args) throws GeneralException {
String targetEmail = "[email protected]";
// Check if the leaver identity has the target email
if (identity.getAttribute("email") != null && identity.getAttribute("email").equalsIgnoreCase(targetEmail)) {
// Trigger Udit New Leaver Workflow
Map workflowArgs = new HashMap();
workflowArgs.put("identityName", identity.getName());
context.startWorkflow("udit new leaver", workflowArgs);
// Search for other users with the same email
QueryOptions queryOptions = new QueryOptions();
queryOptions.add(Filter.eq("email", targetEmail));
List<Identity> duplicateUsers = context.getObjects(Identity.class, queryOptions);
ProvisioningPlan plan = new ProvisioningPlan();
for (Identity duplicateUser : duplicateUsers) {
if (!duplicateUser.getId().equals(identity.getId())) { // Avoid disabling the same user twice
AccountRequest acctReq = new AccountRequest();
acctReq.setOperation(AccountRequest.Operation.Disable);
acctReq.setApplication("Active Directory");
acctReq.setNativeIdentity(duplicateUser.getName());
plan.add(acctReq);
}
}
if (!plan.getAccountRequests().isEmpty()) {
return plan; // Return plan to disable duplicate users
}
}
return null; // No action if the condition doesn't match
}
}
but this is not working i am using this in lifecycle event and using event type as rule after saving this i selected my business process from below which is "udit new leaver " and then after ran the refresh identity cubes . But nothing is getting triggered