Move User to other OU (Organization Unit) on Active Directory Application

IdentityIQ (IIQ) IIQ Discussion and Questions
, ,
1

Which IIQ version are you inquiring about?

Version 8.2

Share all details related to your problem, including any error messages you may have received.

Hi there,
I need to change the OU (Organization Unit) of a Identity/User in Active Directory Application.
I didn’t found out any OOB functionality to do this, so I assuming I need to develop some code…
If so, can you please give some highlights/example on how to do it?
I need to change all the user’s that have a specific entitlement from Active Directory Application.
I’ve also have another requirement of changing this automatically if that entitlement is added to an identity.

Tks a lot for you help,

Regards,

Paulo Torrinha

2

Hi and Hello,

For SailPoint IdentityIQ (IIQ), to automate the process of changing an identity’s Organizational Unit (OU) in Active Directory when a specific entitlement is added, you’ll need to create a combination of a rule, a custom workflow, and possibly modify your Active Directory connector configuration.

Step 1: Define the Rule

You need to create a rule in IIQ that will determine when an identity’s OU should change based on the entitlements associated with that identity. This rule will typically be invoked by a workflow.

Step 2: Modify the Active Directory Connector (if necessary)

You may need to ensure that the Active Directory (AD) connector in IIQ is configured to allow modifications to the distinguishedName attribute. This setup is usually done in the Connector Configuration under your IIQ admin interface.

Step 3: Create a Workflow

Develop a workflow that:

  1. Is triggered when an identity receives a new entitlement or during regular reviews.
  2. Invokes the rule you wrote to calculate the new OU.
  3. Applies the change to the identity’s profile in IIQ, which in turn should synchronize with AD.

For automating the process You can schedule the workflow to run at specific intervals or trigger based on events.

Regards,
Adam

3 Likes
3

@PTCGD : You can potentially use a run ruler task to execute automatically.

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Rule PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<Rule language="beanshell" name="Test Rule">
  <Source>
  import java.io.*; 
  String filePath = config.get("filePath");

  String line = "";  
  String splitBy = ",";  
  try   { 
    //parsing a CSV file into BufferedReader class constructor  
    BufferedReader br = new BufferedReader(new FileReader(filePath));  
    while ((line = br.readLine()) != null)   //returns a Boolean value  
    {  
      String[] data = line.split(splitBy);    // use comma as separator  
      System.out.println("Account [Account ID=" + data[0] + ", Last Login=" + data[1] + "");  
    }  
  }   catch (IOException e)  {  
     System.out.println(e.printStackTrace());
  }  
    
  </Source>
</Rule>
1 Like
4

Hi Paolo,
To move AD account to different OU you have to provision value of the new OU into the attribute calles AC_NEWPARENT. Once you do that the connector will move the account to new OU.
Its fairly simple task but lets think a bit about the requirements you have.

In first place you have to move all accounts which have certain AD Entitlement into new OU and then whenever someone gets this entitlement should also be moved to this OU. Am I right with my inderstanding?

If yes we have 2 diffrenet processes.

  1. Mass move to new OU - here as as @Saket95606 mentioned the easiest way would be to write a small rule to achieve this and execute it via run rule.
  2. Move whenever certain entitlement is granted - here i would create a before provisioning rule where I would inspect provisioning plan to check if operation in the plan is add entitlement and if yes then move the account.

In first case you will have to find population of users who has required entitlement - you can either write a filter and get it via QueryOptions or just click it through in Advanced Analytics → Ideantity Search and save as Population. Once you do that - for each identity you have on the list - create Provisioning Plan with AC_NEWPARENT attribute value and execute it.

In second casenyou don’t need to search for identitynso you can just add thisnattribute into the plan it is already granting required permission.

3 Likes
5

@PTCGD

If you need to find some samples, more you can find below,

AD OU Moves - Compass (sailpoint.com)

AC_NewParent and AD accounts moving to a new OU - Compass (sailpoint.com)

For Single Account Aggregation,

Aggregating a single account from an application - Compass (sailpoint.com)

Hope these documents will help you, just adding + on the above threads.

Thanks,
Pravin

6

Hi,

do you have any sample code?
Can I do all of this by creating a rule and runit?

Tks.

7

String identityNames = config.get(“username”);
String acNew_Parent = config.get(“newPath”);
String identityArray = identityNames.split(“:”);
log.debug(“identityArray” + identityArray);
for (int i =0; i<identityArray.length; i++){

Identity identityObject = context.getObjectByName(Identity.class, identityArray[i]);
Link appLink = identityObject.getLink(context.getObjectByName(Application.class,"ApplicationName"));
String nativeUserIdentity = appLink.getAttribute("id");

try {

  if(nativeUserIdentity!=null){

    ProvisioningPlan plan = new ProvisioningPlan();
    List accountRequests=new ArrayList();
    AccountRequest accountRequest=new AccountRequest();
    accountRequest.setOperation(AccountRequest.Operation.Modify);
    accountRequest.setApplication("ApplicationName");
    accountRequest.setNativeIdentity(nativeUserIdentity);
    accountRequest.add(new AttributeRequest("AC_NewParent", ProvisioningPlan.Operation.Set, acNew_Parent));
    accountRequests.add(accountRequest);
    plan.setAccountRequests(accountRequests);
    plan.setIdentity(identityObject);
    Provisioner provisioner = new Provisioner(context);
    provisioner.execute(plan);
  }

}

catch (Exception e)
{
  taskResult.addMessage(Message.error("Exception for identity : "+ identityObject.getName() + " || Error :" + e));
  log.debug("Exception *********"+e.getMessage());
}

}

Run rule task - With custom input and return values - Compass (sailpoint.com)

8

I just have quicky written a sample code for you, plz customize as per your requirement :stuck_out_tongue:

9

@PTCGD If u r happy with the solution u can accept it :blush:

10

@PTCGD this is + on Saket thread,

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Rule PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<Rule language="beanshell" name="TestMoveOURule">
  <Source>
		import sailpoint.object.*;
		import sailpoint.object.ProvisioningPlan.AccountRequest;
		import sailpoint.object.ProvisioningPlan.AttributeRequest;
		import sailpoint.api.Provisioner;
		
		
		Identity identityObject = context.getObjectByName(Identity.class, "idenityName");
		Link appLink = identityObject.getLink(context.getObjectByName(Application.class,"ApplicationName"));
		String nativeUserIdentity = appLink.getNativeIdentity();
		String acNew_Parent = "OU=test1,XXXX";
		try {

		  if(nativeUserIdentity!=null){

			ProvisioningPlan plan = new ProvisioningPlan();
			List accountRequests=new ArrayList();
			AccountRequest accountRequest=new AccountRequest();
			accountRequest.setOperation(AccountRequest.Operation.Modify);
			accountRequest.setApplication("ApplicationName");
			accountRequest.setNativeIdentity(nativeUserIdentity);
			accountRequest.add(new AttributeRequest("AC_NewParent", ProvisioningPlan.Operation.Set, acNew_Parent));
			accountRequests.add(accountRequest);
			plan.setAccountRequests(accountRequests);
			plan.setIdentity(identityObject);
			Provisioner provisioner = new Provisioner(context);
			provisioner.execute(plan);
		  }

		}

		catch (Exception e)
		{
		  taskResult.addMessage(Message.error("Exception for identity : "+ identityObject.getName() + " || Error :" + e));
		  log.debug("Exception *********"+e.getMessage());
		}
		}
  
  </Source>
</Rule>

This is KB where you will learn about rules and syntax.

Writing Rules and Scripts - Compass (sailpoint.com)

there are multiple ways to test a rule. but simple way to test by debug like below

image
image1747×331 67.6 KB

2 Likes
11

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.