We have a requirement where we have to move OU of identity to disabled users OU after 7 days of termination. Is this feasible through workflows? In case it is, what Action item is used to set AC_NewParent and AC_NewOU in Active Directory. Also in Azure how can we achieve this.
First requirement here is to store the date and time of disable. We are storing this under “comments” attribute in AD and using that timestamp.
We are having active, inactive and archive LCS. On Inactive LCS we are disabling accounts and on archive LCS we are removing access.
You can use dateCompare and dateMath transform to derive new LCS by comparing current time with “comments” value and that would give you new LCS.
In case you do not want to have new LCS, just use this transform under any identity attribute, use this identity attribute to assign IdentityNow role. This idn role would assign dummy entitlement and when this dummy entitlement Add request gets triggered , capture it in before provisioning rule and set AC_NewParent. You would not need to write before provisioning rule for this if you take advantage of “Services standard rule”.
There is too much info in above comments , so if you have any doubts, please highlight specific lines and ask questions so I can clarify
Hi Chirag,
Thank you for the information. I did implement below logic in my scenario
-
We get disable identity from source then I do disable user
-
We get delete identity from source then also user should be in disabled state from day 0 and PIM script is triggered/email is sent based on attribute →
For which on day0 I created new LCS to enable and PIM script is triggered and values should be readback
[Here I want to disable user as I dont want to wait till 7 days , can we use object IIQ disable here → Is this feasible in AfterModifyConnector Script? ] -
On day 7 I want to check date and move to disabled ou for few users and delete AD account for others based on department/ rename vlaue [before Provisioning Rule]
In order to achieve this I did write LCS Transform but not sure why its not triggering on date calculation. How to enable logs for transform?
DisableDeleteTransform.txt (2.7 KB)
Attaching Transform do let me know if any corrections
Regards,
Yamini
I did see one link related to this and I believe this has some versions . how we can use this? I don’t see this rule in our existing sandbox. Could you please provide more information regarding this?
Thank you.
Regards,
Yamini