Our Client environment is using extensionAttribute5 to store the owner of a AD group. We want to change the owner to a users manager when the user is terminated.
Is this achievable through code. If yes, can someone please provide a code snippet for the same?
Thanks in advance
Yes, it is achievable through code using a GroupRefresh Rule in SailPoint IdentityIQ. You can write a BeanShell script that updates the owner of an Active Directory (AD) group to a user’s manager when the current owner is terminated.
Here’s a sample code snippet -
import sailpoint.object.Identity;
import sailpoint.object.AccountGroup;
import sailpoint.api.SailPointContext;
import sailpoint.tools.GeneralException;
import sailpoint.tools.Util;
try {
String ownerId = accountGroup.getAttribute("extensionAttribute5");
if (!Util.isNullOrEmpty(ownerId)) {
// Get the Identity object of the owner
Identity owner = context.getObjectByName(Identity.class, ownerId);
if (owner != null) {
// Check if the owner is terminated
String status = owner.getAttribute("status"); // Adjust attribute name if different
if ("Terminated".equalsIgnoreCase(status)) {
// Get the manager of the terminated owner
Identity manager = owner.getManager();
if (manager != null) {
String managerId = manager.getName(); // Or use manager.getName() based on your setup
// Update the group's owner to the manager's ID
accountGroup.setAttribute("extensionAttribute5", managerId);
// Optionally, log the update for auditing
log.debug("Updated group '" + accountGroup.getDisplayName() + "' owner to manager '" + managerId + "'.");
} else {
log.warn("Owner '" + ownerId + "' is terminated but has no manager to assign as new owner.");
}
}
} else {
log.warn("Owner identity '" + ownerId + "' not found in IdentityIQ.");
}
}
} catch (Exception e) {
log.error("Error updating group owner: ", e);
}
Thank you!
We want to also change the owner in the target app (AD) as well. We want to provision extensionattribute5 on the target AD.
The best way around to handle this use case would be using a Lifecycle Identity Attribute Change Event.
You can create a Lifecycle event and when the status of the user is being changed to terminated and user is an owner of any AD Group then this would call a workflow.
In the workflow, You can handle the logic for updating both the Group Owner and provision the same to the target system.
Hope you get the point.
Thank you!
When trying to provision the extensionattribute5 to AD, wont the provisioning plan need an identity to be set as the nativeidentity in the plan?
If so, it would not be possible as this extensionattribute5 is only for a group object for AD
You need to perform the modify operation on group. Here you will consider the group Object Native Identity not Account Object.
Generally, distinguishedName of the group is native Identity for Group Object.
Hi @rishavghoshacc in addition to what @officialamitguptaa memtioned especially for.having a seperated LCE for this case. You can also make the same happening in the leaver workflow itself, however it will be slower than segregating it to another LCE.
Have a nice and great one!
Regards,
Muhammad
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.