Hi I want to send the mail to Line manager with user creds (AD username/password) , 30 days before the person is going to be onboarded in ISC, the authoritative source is workday and top of that i need to send the same email in “Rehire” scenario also. Right now i made the 4 states prehire,Active,Rehire and Terminated by transforms. Can you please help the best possible way to make this happened.
- Workflows, Use Identity attributes modified trigger, have filter when user LCS changes and new value is either Prehire or Rehire
- Schedule a script (Pytohn/PowerShell) in IQ Service if you don’t have workflows
- You can send password using AD Native Rule (Connector After Create), this is the best way.
The question is about your password implementation, is it
- Dynamic Known Password
- Static Password
- Dynamic Unknown Password
- Password Reset
– Krish
Workflow is the best tool to use in this scenario, you may experience issues with triggering the workflow based on your 30 day requirement as I assume you will only want to send the email once. Triggering the workflow to act on change of cloudlifecyclestate to prehire and perhaps rehire may work better.
Hi @Amol_B_Chaudhari
Ideally, 30 days before the hire date, users should transition to the Prehire status in the Lifecycle State . To facilitate onboarding, assign a basic birthright role to automatically trigger provisioning, which will create the user’s AD account in the Prehire state. Implement an “after-create” rule to enforce a force password set, setting a temporary password, and send an email to the user’s manager with the credentials.
For rehires, the process will generally follow the same Prehire transition path, as the hire date will still be in the future. Typically, the user will transition from Terminated to Prehire in this case, and their AD account will be re-enabled (I guess) . Configure an “after-modify” rule to trigger the same password set script and send an email with the new credentials to the manager
2 Likes
Hi,
Thanks for the suggestion. The password should be dynamic. Can you please point to any example where the AD native sends the password via email?
In case of normal modify operation, this rule will be applicable. If any ACTIVE person is going to send the access request , the password can be reset for no reason in this case. please correct me if i am wrong. However we can handle it on lifecycle state of an identity.
You can check in rule if it is a enable/disable operation.
$requestObject = New-Object Sailpoint.Utils.objects.AccountRequest($xmlReader);
$RequestOperation=$requestObject.Operation
if ($RequestOperation -eq "Disable"){
}
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.