Hi,
We are planning to enable the Native Change Detection for Active Directory. Do we have any best practices around it?
Our AD is integrated with IDN from past 2 years with JML and other configurations. So wanted to understand the Do’s and Dont’s to avoid any unexpected issue.
Also, is there a possibility to configure native change for specific groups rather than all the entitlements to avoid any kind of overload on the system.
Thanks
I also had the question of how to target specific groups. We don’t have workflow so don’t have that part of the offering.
Did you implement any such scenario?
You can implement filtering at trigger level and also using workflows.
In our environment we trigger events and use workato to process those events. Workato is workflow automation tool which is no-code low-code tool.
We have implemented native change on a test domain in our sandbox but we don’t have workflow available in production and don’t have triggers set up yet. I was hoping that search would be able to filter down to specific group but wasn’t able to get it working.
Enabling Native Change Detection is fairly easy but it’s is basically everything for the attribute selected which is changed natively, no filtering. The problem I’m having is filtering it to just what is needed to be audited without Workflow. I’m looking at event triggers to see what we can do with it. I took a look at Workato mentioned by @chirag_patel and like the no-code low-code.
Here are the various links I’ve found if you don’t already have them:
@chirag_patel has reported an issue
I hope it helps, Kelvin
Thanks @kwhipple and @chirag_patel for the responses.
I have one more requirement where we need to generate a report of the exact native changes that has happened on the account. This is for other types of sources.
Now from search we can query for different operations, specific source etc.
name:“Native Change Detected” AND attributes.sourceName.exact:“”
What I am looking at the exact details of the change that has happened. Like the exact entitlement change or non-entitlement attribute change. Clicking on the event give this information but is there any other way from the search query to get that. I have also tried with the api(from developer tools) that pulls the data but that api is internal to sailpoint so can’t use. Also, as of now, Event Trigger/Workflow is also not an option.
So any other way to pull this data?
Thanks
Yunus
Your search query is perfect and there is no internal api being called here for extra information which is visible in sidebar on clicking events record. It’s just front end code.
you can get all information in search api under events , make search call through postman and check response in postman. The information you are looking for is available under attributes section. I can see that in my network tab api call response, cannot share screenshot as it would reveal PII data.
Thanks Chirag. Just got this working through the API. Was about to reply on the thread.
Hello @yunus_merck,
Have you tested the feature ?
Indeed, I enabled it in the Sandbox env and it doesn’t seem to work. I even selected all the attributes from the source configuration. I tested the attribute update and adding an entitlement from AD. After the aggregation, the account is changed but the worklfow is not triggered (I have no filter in the trigger).
Hi @timahm ,
Yes, I have tested this feature and it worked as expected. Just to be clear, we do not have workflows and we only enabled this feature to get the notifications of native change detection.
So as soon as the account changes happened at the target end, post aggregation, native change detection triggers. From Search, we can capture those events. That’s the only requirement we had. Not sure if you have the same requirement.
Note- Always run the Full aggregation, Native Change detection does not work on Single Account Aggregation.
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.