I’m currently tasked with optimizing some of our processes. I’m only a couple of months out from an official SailPoint Professional certification so everything is still a bit/lot new - so apologies if something would typically be obvious to a more seasoned admin.
Anyways, to get to the point, we have a form for creating service accounts. One of the requirements of service accounts in our enterprise is that in Active Directory, they cannot change their password, and their password never expires (it’s handled by another product). I’ve broken down the flow and these values are set by an after create rule which runs some powershell commands to get this done. We’re actually having a bit of trouble with the rule executing consistently, so I was asked if we can move the function of the rule into the workflow that actually does the initial provisioning. I’ve tried a few different things, but in AD, PasswordNeverExpires and CannotChangePassword are either true or false - boolean. I’ve tried including both boolean and string values in the workflow, but the provisioning engine fails to set these attributes. With all of that, my question is simple - is it possible to set boolean values from the workflow/provisioning plan, or is that after create rule necessary for what we’re trying to achieve?
Certainly, during the account creation process, you should have the capability to set the “password never expires” option by configuring the “userAccountControl” value to 65536.
That was a great suggestion! It worked very well for setting “password never expires”. It still leaves us with “cannot change password” which, after some research, it looks like that can’t be modified by userAccountControl.
But at least this is half of the problem solved! Thanks!
For the other part of the problem, you can leverage the after create connector rule which can then trigger a powershell command to set this flag. Set-ADUser -Identity -PasswordNeverExpires $true
You need to create Service Accounts in AD and obviously it should have PasswordNeverExpires and CannotChangePassword (subject to your requirements).
How you are creating service accounts, manage access request ? Then I guess you are correlating all Service accounts to a single identity.
Alternatively, you can use Quicklink as well.
Provisioning part,
You can have all attributes in your Provisioning Policy form and you can choose field type as Boolean in Provisioning form, it should work.
If any problem here, then we need to depend on executing PowerShell scripts. You can run the respective commands in After Create PowerShell script, it does work properly. In case if any consistency issues, we should fix that.
If you choose Workflow then you can use RPC service to execute PowerShell scripts, but RPC is heavy coding.
So to summarize, you have 2 provisioning options.
All attributes in Provisioning policy form (Easy work, if everything goes as expected)
Some attributes in Provisioning policy form, remaining as PowerShell commands. if you choose this, then you have
a. Native Rules
b. Workflow - RPC service
Native Rules is better than RPC. But both works, I have used them to create different types of mailboxes (User mailbox, Shared Mailbox, DL).
