LifeCycle state Change

Identity Security Cloud (ISC) ISC Discussion and Questions
, ,
1

When we went live with SailPoint the professional services setup a lifecycle state called ADInactive. A user gets that lifecycle state if their account is disabled and in an inactive OU in Active directory. Then when a termination comes across from our Lawson system, it is not changing the lifecycle state to inactive. There is a transform which is below. I have tried modifying so that it would set the standard lifecycle state if employment status is T1 and the AD account inactive is true but it will not work. It will also not move the account to the terminated OU and remove groups from the account. The screenshot below the original is what I am trying

image
image705×380 11.1 KB

image
image1605×598 15.1 KB

2

Hi @dpowers1
Can you share the transform you are using for reference.

3

Here are the transforms that are referenced. We have a manual process right now that we disable an account that hasn’t had any activity on it in 90 days and move the account to the Inactive Users OU in our Active Directory. Right now if an employee is in that OU the lifecycle state is ADInactive and if a termination status comes across from our ERP system, it is not removing the groups and moving to the terminated Users OU and setting the lifecycle state to Inactvie

image
image699×550 16 KB

image
image506×683 9.72 KB

4

Hi David,

The transform you provided is incorrect — the condition below doesn’t evaluate properly.

image

You can try below logic to get desired output instead of the above.

#if ($isInactiveAccount == ‘false’ && $estatus == ‘T1’ )$standardLCS#else$adInactive#end

Let me know

-Ganesh

5

Hi @dpowers1

What value is assigned to the ‘status’ attribute? please check and let me know.

image
image375×457 34.4 KB

Thank you!

6

I tried the logic below in our Sandbox environment and it set the lifecycle state of an account that had a A1 status from our Lawson source, disabled and in the inactive OU to adInactive. Then I checked another account that was not disabled and not in the Inactive OU and it had adInactive lifecycle state when it should have been active

#if ($isInactiveAccount == ‘false’ && $estatus == ‘T1’ )$standardLCS#else$adInactive#end

image
image1301×544 29.1 KB

image
image1385×721 33.7 KB

7

Normally the technical name for an identity attribute has the same words as the displayed name. Yours seem to be different can you review your identity profile and make sure that the IS AD ACCOUNT INACTIVE has a technical name of InactiveAccount with that capitalization and that LIFECYCLE STATE has a technical name of SetLawsonLifeCycleState?

8

Plese use below logic it should work based on my understanding else you need to logic a littlebit.

#if ($estatus == ‘T1’)$standardLCS#elseif($isInactiveAccount == ‘false’ )$adInactive#else$standardLCS#end

9

I changed it to the below. It seemed to have set the correct lifecycle state, basically if the user is in the Inactive OU in AD and they still have a A1 status from our ERP system then the lifecycle state should be ADInactive. The problem that I am having now, say a termination (T1) status comes across for that account, then lifecycle state should be inactive and remove all the group memberships from the AD account and move it to the Terminated users OU, but it is not removing the groups and moving the account to the terminated users OU in AD.

#if ($estatus == ‘T1’)$standardLCS#elseif($isInactiveAccount == ‘true’)$adInactive#else$standardLCS#end”

10

The transform is referencing other transforms and not the identity attribute

11

David,

There are two things we are talking about

  1. Setting lifecycle state - Is this working as expected ?
  2. When user state is inactive, remove AD groups from AD and move account to inactive OU - You need to develop either “Before provisioning rule or Standard before provisioning rule” to achieve this functionality.

-Ganesh

12

Ganesh

That is the thing, if the user is not in the inactive OU and a T1 status comes through then it will remove the groups and move the user to the terminated users OU, but if they are in the inactive OU and already disabled and a terminated status comes across and changes the lifecycle state is changed to inactive, it will not remove the groups and move the account.

13

If an account is already disabled, SailPoint will not trigger the disable operation again unless the account is first enabled for a specific state (in which case it will attempt to enable the AD account). In the before-provisioning rule, you can set the groups to null and set the operation to disable.

From your message above, I’m unclear why the AD account was moved to the Inactive OU before the lifecycle state was set to Inactive. If the lifecycle state is Active, then the AD account should remain active and in the correct OU. The disable operation and move to the Inactive OU should only occur when the lifecycle state changes to Inactive.

If we can clarify this process, I can recommend a better solution.

-Ganesh

14

We currently have a manual process where I disable AD accounts manually where the account has had no login activity for 90 and greater and move them to the inactive users OU. Right now in in our SailPoint production, when an aggregation is ran I believe on AD source, it sets the users lifecycle state to ADInactive. That was not setup by me, a SailPoint engineer set that up. Then if a Term status comes across from our ERP for that user, I want it to move the user to the terminated users OU and remove the groups. I was trying to get it to work in our test environment before I place into production.

15

Yeah now it makes sense why he create another LCS as ADInactive.

Can you tell what are the provisioning configurations when LCS is ADInactive ?

-Ganesh

16

Below is the provisioning configuration. It was not setup in our Sandbox environment so I set it up to mirror how it was setup in our production. I keep setting the identitystate to null but it keeps reverting back to Active in the Sandbox

image
image1470×542 22.9 KB

image
image413×448 10.4 KB

This is what it looks like in our production

image
image414×495 16.9 KB

image
image1086×520 22.5 KB

17

Here’s the final version — this will work based on your requirements. However, you will need to create a new lifecycle state to handle cases where the HR status is T1 and the AD account is already disabled (and moved to the Inactive OU).

Let’s call this new lifecycle state inactiveADDisabled. When the state changes to this value, configure it to first enable the AD account so that SailPoint initiates the enable operation. Then, in the before-provisioning rule, override the operation to disable and set the AD groups to null (or a default group). This approach ensures the AD account remains disabled while also removing all group memberships.

Once you have new state use belowlogic.

#if ($estatus == ‘T1’ && $isInactiveAccount == ‘true’)inactiveADDisabled#elseif($isInactiveAccount == ‘true’ && $estatus != ‘T1’ )$adInactive#else$standardLCS#end

-Ganesh

1 Like
18

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.