HI,
Using Before Provisioning Rule, Can we update the Provisioning Plan to create, Update, and Delete the AD groups?
Thanks.
Hi @nikhleshsdg.
Not available in ISC, only in IdentityIQ.
You can however use PowerShell to do this - i.e. call the BeforeCreationRule.
Kind Regards,
Yes, I was looking at Before Modify rule to call Powershell script. But I thought since its present in IIQ than might be we can do it in ISC as backend tech or provisioning engine for ISC IIQ are same.
@kyle1 Do you know if any other ways to call powershell script through ISC? Thanks.
Hi @nikhleshsdg ,
Other than Before Modify rule, you can use -
- After Create/Modify Rule.
- HTTP request through workflows you can find the link to that thread here - Invoke Powershell script.
1 Like
@poornasai for Option 1 - Yes, we can explore the different connector rules.
Option 2 - Yes this is the plan but just thinking we can call powershell script through ISC rather than from outside of ISC.
Hi @nikhleshsdg,
Not actually explored that - Might be worth looking at the ProvisioningPlan used to manage AD Groups directly from IdentityIQ.
Since Powershell relies heavily on the Windows APIs to execute commands (and communicate with AD) I don’t think this method is going to work. Also, there are a few disadvantages of it such as SailPoint will not support this Customization, risks of it breaking with new releases, cannot import AD packages etc.
Personally I think you should stick within the recommended framework of running the script on the server itself.
Hi @nikhleshsdg,
Yes, you can use it. Just have a look on the below sample. Let us know if you face any issue.
Thanks
HI @ashutosh08,
I looked at this link but they have not mentioned anything about creating groups. Do you have any sample code snippet for Group management?
Thanks.
Hey Nikhlesh,
You can have the solutioning done via BFR by adding your usecase specific arguments in the plan and using these arguments to leverage after/beforecreate rule and invoke operations for AD group management (CRUD).
Thanks,
Aman
Hi @amansingh,
To leverage after/before create rule, I am not sure which trigger (on Accounts) can be used to manage AD groups (CRUD) at Run time.
Thanks.
So @nikhleshsdg,
I will give you an example of one scenario that I have worked on previously.
Create Group:
- Before Prov Rule captures the operation to be of type Create and adding an argument to the plan lets say a key<->value pair lets say (“newGrpCreate”,“someThingSamaccountNameSomething”)
- Take After Rule capture the plan take this custom argument and now invoke a PSScript. Within the PSScript perform the AD group creation and voila usecase achieved.
Hope this gives you a general idea what I am proposing as a possible solution.
Thanks,
Aman
1 Like
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.