PowerShell Script execution after 1 week

Identity Security Cloud (ISC) ISC Discussion and Questions
1

Hi,

We have a requirement to run powershell script after 1 week of Identity inactivation. How can we achieve this in IDN.

2

Hi @ashishbhatia
Did you check this document for the Best Practices for OU movement ?

3

Hi @rajeshs , Thanks! Yes I have been through this post earlier but isn’t helpfull for our requirement. I have updated the question. Please let me know if you have some suggestion.

4

If you are running this powershell script on a Windows machine, you can use the task scheduler in windows to make the script run every day. In your script, you can invoke the search API to find all identities that are inactive with an end date within the last 7 days. The search query would be this string:

attributes.cloudLifecycleState:inactive AND attributes.endDate:[now-7D]

Then, perform the necessary powershell functions on each identity that is returned by that query.

5

Hi @colin_mckibben , thanks for the suggestion, we want to keep idn as source of truth, I too thought of same but that may violate auditing activities. So the use case is basically we want to delete user on day 7 of termination and client isn’t looking for any cloud rule executions.

6

Hi Ashish,
Create an identity attribute. and add the transform in such a way that it will resolve to true when attributes.cloudLifecycleState:inactive AND attributes.endDate:[now-7D TO now] is satisfied, you can then call a workflow on attribute changed and invoke workflow. If you need to keep IDN as source then you need expose you powershell script on http and make call from workflow as http request

7

Hi @RAKGDS , thanks for the suggestion! I understood what you mentioned, but we don’t have workflows license. Do you have any other approach to trigger?

8

The best option for you is to then use Even Triggers and do the processing.

9

Coming from IIQ, I am naive in IDN world. What I can see in event trigger, it requires Integration URL. which in our case its not web hosted site. Is my understanding correct about triggers?

Sorry for asking questions which may sound dumb to you :grin:

10

That’s correct. You will need to write a service to consume what action you need to take.

11

attributes.cloudLifecycleState:inactive AND attributes.endDate:[now-7D TO now] will be true during all 7 days right?

Should it rather not be create a new LCS named accountDelete and modify the transform for current LCS to return this accountDelete when conditions match those of current inactive and endDate <= now-7d? This will change the LCS and trigger Identity Change Workflow

Another approach would be using Services Standard IdentityNow BeforeProvisioning Rule (However, this involves changing the cloud rule) with eventAction - ChangeOperation

12

Thanks correct Nithesh, beforeProvisioning Rule along with newState should solve the problem but Ashish is looking at not deploying any Cloud Rule and do it directly in IDN which i dont think will be possible.

@ashishbhatia Simplest way is deploy the Service Standard Rule given by Sailpoint and create new lifecyclestate(Calculate your logic and set that state) and using Change Operation change the operation to Delete

2 Likes
13

Good call. I updated my post to just be now-7D.

1 Like
14

Thanks @RAKGDS , I created LCS and added the logic.
Few questions,

  1. What do you mean by Service Standard Rule: - Is it like ConnectorBeforeModify, etc rule which can be pushed via API?

  2. Since Identity account in AD is already disabled and we need delete the account, on 7th day how and when they rule execution will take place?

15

Thanks @colin_mckibben
Just few quick notes:

  1. Should it not be now - 7d instead of now - 7D?
  2. Inside [...] it expects a range. [now - 7d] returns error
  3. Say we use created:[now - 7d TO now - 6d] it returns records where created is BETWEEN current Time 7 days ago to current time 6 days ago. Is there a way to round it Down?

Thanks for any response

16

Service Standard Rule is a prewritten Cloud rule that executes many commands based on a config object appended to Application Attributes. I have attached the READ ME file for your reference
SSI BeforeProvisioning Rule - README.pdf (110.2 KB)

17

Thanks @iam_nithesh , will look into it

18

  1. Service Standard Rule is Before Provisioning Rule provided by Sailpoint Services Team which can be attached to AD source. Nitesh Rao has shared the pdf. You can raise a Sailpoint Support ticket to deploy the code.

  2. So in this case you will move the user from Disabled → DeleteAfter7 or any meaning full name you give to the state and transition that user to that. Once it is transitioned in the Provisioning tab mark the AD account as Enabled and in Before Provisioning rule change that from Enable to Delete this should work for your case.

Let me know if you need more help on the same.

Thanks

19

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.