Leavers OU movement in lapsed LCS state

Identity Security Cloud (ISC) ISC Discussion and Questions
,
1

Hi,

I have written the code below before provisioning the rule to move the OU of the user to the ‘Lapsed’ status. This code is working fine in our sandbox environment. However, when I deployed this code in the pre-production environment, it is not working as expected, even though I am not seeing any error messages. I have updated the OU as per the pre-production environment and tried running disable optimization, attribute sync, but no luck. Can anyone help me here?

<?xml version='1.0' encoding='UTF-8'?> Rule executed for Leavers <![CDATA[ 
import sailpoint.object.ProvisioningPlan.AccountRequest;
import sailpoint.object.ProvisioningPlan.AccountRequest.Operation;
import sailpoint.object.ProvisioningPlan.AttributeRequest;
import sailpoint.object.ProvisioningPlan;
import sailpoint.object.Identity;
import sailpoint.rule.IdnRuleUtil;
import java.util.List;
			
	String lcsState = null;
	boolean moveOUADFlag = false;
	
	log.info("Entering into the code");
	if(plan != null){
		Identity identity = plan.getIdentity();
		lcsState = identity.getAttribute("cloudLifecycleState");
		log.info("Fetching cloudLifecycleState");
		for(AccountRequest accountRequest : plan.getAccountRequests()){
		    if(accountRequest.getOp().equals(ProvisioningPlan.ObjectOperation.Modify)){
			    log.debug("Entering the loop");
               List attributes = accountRequest.getAttributeRequests();
			   log.debug("Get Attribute request");
               for(AttributeRequest attribute : attributes){
			      if(attribute.getName().equals("description")){
					moveOUADFlag = true;
					log.debug("Setting the description flag to true");
				  }
					   }			   
			   if(lcsState != null && !lcsState.isEmpty()){
			        if(moveOUADFlag && lcsState.equalsIgnoreCase("lapsed")){
						 accountRequest.add(new AttributeRequest("AC_NewParent", ProvisioningPlan.Operation.Set, "OU=Lapsed,OU=Staff,DC=uol730,DC=local"));
						 log.debug("Moving to Lapsed OU");
						
				   }
			   }
			}
		}
	}
  ]]></Source>
</Rule>
2

Have you verified that AC_NewParent is getting set in the provisioning plan?

If it has, you can try viewing the provisioning result in an AfterModify powershell rule. I have sometimes seen errors appear in the result object that are not reported through the UI.

You can try adding the following to an AfterModify Rule:

Add-type -path utils.dll;

#update path with actual log file path
$logFile = "c:\SailPoint\IQService\Scripts\Logs\AfterModify-AD_$logDate.log"

$requestAsString = $env:Request;
$resultAsString = $env:Result;

Add-content $logFile -value $requestAsString
Add-content $logFile -value $resultAsString

This will print out both the incoming Request and Result. Check the result object to see if there are any errors moving the account.

2 Likes
3

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.