Our Active Directory contains two distinct Organizational Units (OUs): one for employees and another for contractors. All access for contractors is automatically provisioned through SailPoint roles. Is there a way to configure native change detection to focus on the contractor OU specifically, ensuring it identifies updates to AD group membership that occur outside of SailPoint’s role-based auto-provisioning?
The only way I can think to accomplish this is to have 2 separate AD sources for each OU, then you can set Native Change rules separately on each source
Thank you for your suggestion. Creating a separate source in our environment is somewhat challenging, as it involves modifying the existing rule.
@sivakumarnallu
We cannot filter the native change detection with OU specific . May I know what is the requirement ?
Our HR system provides data for both employees and contractors. While we have well-defined roles in place to provision access for contractors in Active Directory (AD), the process for employees is only partially automated. The remaining employee access requests are handled manually through a ticketing system, where users are added manually. Our actual requirement is, if any contractors access added manually in AD, the system should detect it and immediately revokes their access.
Keeping your requirement in mind , you can achieve this in this way :
Enable native change detection for AD account ,
And now implement a workflow with below flow
1.Trigger → Native Change Account Updated
2.Operator →
Check if this triggered Identity’s employeeType is contractor
If there is no employeeType data for the Identity
Check if the trigger account ou contains Contractors OU
3.Manage Access - Revoke Access Items that are part of the native change update
Hope this helps !
Thanks
Sid
Thanks for your reply. Let me check and get back to you if I have any questions.
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.