Hi Team,
We would like to remove the user roles/entitlements and disable/delete the user from the target MSSQL server application during user departure from the company and any ideas how to implement?
Thanks
Kalyan
Hi Team,
We would like to remove the user roles/entitlements and disable/delete the user from the target MSSQL server application during user departure from the company and any ideas how to implement?
Thanks
Kalyan
Hi @kalyannambi2010,
I believe you can utilize workflows in this scenario. Design the workflow as follows: when the user enters a specific LCS state that denotes their departure (using an Identity Attribute Change trigger), retrieve all of their roles, entitlements, and access profiles. Then, using loops, remove their access and employ the โGet and Manage Accountsโ function to disable the user.
Thank you!
Hi @GOKUL_ANANTH_M thank you for your reply and is there a way we can disable the user during user leaver like if we add MSSQL source in identity profile and MSSQL service account has the required access where no need to remove any roles from the user?
do you have any sample code for the approach you mentioned?
Thanks
Kalyan
Hi @kalyannambi2010 ,
If you are willing to disable accounts without removing the role, just configure this via identity profile itself.
This is the one step. If you think of doing it via a workflow, then:
$.changes[?(@.attribute == "cloudLifecycleState" && @.newValue == "terminated")]
$.trigger.identity.id
$.getAccounts.accounts[?(@.sourceName=="sourceName")].id
You can use like this. Thanks!
Hi @GOKUL_ANANTH_M thank you so much and can we apply any rule code for role removal instead of workflow logic for MSSQL source?
Thanks
Kalyan
I think you can use JDBC Provisioning Rule, if you prefer to use rules.
But still, is there any reason, you are eliminating workflows option?
Hi @GOKUL_ANANTH_M as of now we are not using any workflows so thought of using any rules could be applied and for MSSQL sources could we apply JDBC rules?
Thanks
Kalyan
Yes you can use JDBC Provisioning Rule her. This is likely to be same as JDBC connector right.
Thanks!
Just adding 1 more point here ,
after adding source to ID profile to be disabled, if you see source is getting enabled again after aggregation then I believe a JDBCBuildmap rule will be required to handle disable account. The rule will simply check if status of the user in table and set IIQDisabled true/false
Hi @GOKUL_ANANTH_M and @gourab for just checking for MSSQL connector can we apply a JDBC provisioning and JDBC buildmap rules?
Thanks
Kalyan
Yes we can use these rules (JDBC Provisioning and JDBC Buildmap) for MSSQL Connector.
Thanks!
Hi @GOKUL_ANANTH_M thank you so much for the updates.
Simliar to MSSQL server, we have one more requirement for WebService connector where we need to remove the entitlements/roles associated with user accounts and disable the user in the target WebService application. Do you have any thouughts and any sample code for this? I assume we can do this with WebService before operation rule but how to implement this?
Thanks
Kalyan
Hi,
You will already have OOTB features to set apis in source config to remove/add/enable/disable operations on webservice connector. Rule is only needed is OOTB is not able to meet exact requirements.
Find here more on HTTP operations: HTTP Operations
Find here more about rules : Web Services After Operation Rule | SailPoint Developer Community
Hi @gourab yes, I have already defined separte HTTP operations for role remove and disable account operations and working fine. But our requirement is to remove the entitlements/roles associated with user accounts and disable the user in the target WebService application during user leaver and how can we implement this fetaure in a single HTTP operation or rule?
Thanks
Kalyan