Orphan account in Active Directory

charan18 · June 18, 2024, 1:46pm

Which IIQ version are you inquiring about?

Version 8.2

Share all details related to your problem, including any error messages you may have received.

What’s the best way to generate a report of all the users who belong to OU = Elevated and are orphan in SailPoint. Please suggest a way to do this. Also please let me know if there is a ready report already available.

Muhammad_Mustafa · June 19, 2024, 9:26pm

Hi @charan18,
You can achieve that by some ways but the simple one (without code)

Create an Identity attribute for the distinguishedName and make it searchable.

Then Create a search (and you can save it as population or report) with the follwoikg criteria

Application is equal Active Directory (whatever the name of your app)
Application is not equal your authoritative source/s (if you have more than one you can add them all).
distinguishedName is like (anywhere) - the name of your OU or a small part of the OU distinguishedName.

All of them with AND operator.

Let us know how it went or if you need another solution ;).

Regards,
Muhammad

vishal_kejriwal1 · June 19, 2024, 9:48pm

You can execute sql query something like below to get data .

select
spt_identity.email AS "iga name",
, spt_identity.name AS "iga name"
, spt_link.native_identity AS 'AD'
, ExtractValue(spt_link.attributes,'/Attributes/Map/entry[@key="ou"]/@value') AS "User OU"

from identityiq.spt_identity, identityiq.spt_link
where spt_link.application ='<APP ID>' and spt_identity.correlated=false
and spt_identity.id=spt_link.identity_id

vishal_kejriwal1 · June 19, 2024, 9:49pm

You can also write custom task , but again it will take lot of time to execute depend on the number of account you have in AD , as it need to loop into each account and check the OU.

iamksatish · June 20, 2024, 5:15am

@charan18

What is your native Identity of the AD application, are you using distinguishedName itself , if that’s the case , simplest solution would be a minor modification to OOTB Uncorrelated Accounts Report

Just create a copy of Task Definition - Uncorrelated Accounts Report
and Form - Uncorrelated Accounts Report Form

Now in the cloned Form and Task Definition add the below

Form

    <Field displayName="Sub String of Native Identity" helpKey="Sub String of Native Identity" name="nativeIdentitySubString" type="String" value="ref:nativeIdentitySubString"/>

Task Definition Data Source Query Parameters

 <Parameter argument="nativeIdentitySubString" property="nativeIdentity">
                  <QueryScript>
                    <Source>
                      import sailpoint.object.Filter;
                      import sailpoint.tools.Util;
                      import sailpoint.object.Filter.MatchMode;

                      if ( Util.getString((String)value) != null ) {

                      queryOptions.addFilter(Filter.like("nativeIdentity", value.toString(),Filter.MatchMode.ANYWHERE));

                      }
                      return queryOptions;
                    </Source>
                  </QueryScript>
                </Parameter>

And add the below in Task Definition Arguments

      <Argument name="nativeIdentitySubString" type="String"/>

Now you can run the report by selecting the application you want and giving the sub String as OU=Elevated

This new report definition can be used by any application and Native identity sub String in future

system · August 19, 2024, 5:15am

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.