RBAC Deprovisioning Grace Period

Hello All,

We have implemented the RBAC Deprovisioning Grace Period use case using couple of transforms and Identity Attribute. For example, we are using “departmentChangedDate” identity attribute to store the date when department is changed for first time.
First Transform Logic:

{
    "name": "Department Changed Date",
    "type": "static",
    "attributes": {
        "Dept": {
            "attributes": {
                "values": [
                    {
                        "attributes": {
                            "values": [
                                {
                                    "attributes": {
                                        "attributeName": "COST_CENTER_REFERENCE_ID",
                                        "sourceName": "HR Application"
                                    },
                                    "type": "accountAttribute"
                                },
                                {
                                    "attributes": {
                                        "value": ""
                                    },
                                    "type": "static"
                                }
                            ],
                            "ignoreErrors": "true"
                        },
                        "type": "firstValid"
                    },
                    {
                        "attributes": {
                            "value": " "
                        },
                        "type": "static"
                    },
                    {
                        "attributes": {
                            "values": [
                                {
                                    "attributes": {
                                        "attributeName": "DEPARTMENT",
                                        "sourceName": "HR Application"
                                    },
                                    "type": "accountAttribute"
                                },
                                {
                                    "attributes": {
                                        "value": ""
                                    },
                                    "type": "static"
                                }
                            ],
                            "ignoreErrors": "true"
                        },
                        "type": "firstValid"
                    }
                ]
            },
            "type": "concat"
        },
        "PrevDept": {
            "attributes": {
                "values": [
                    {
                        "attributes": {
                            "name": "oldDepartment"
                        },
                        "type": "identityAttribute"
                    },
                    "no department"
                ]
            },
            "type": "firstValid"
        },
        "Date": {
            "attributes": {
                "expression": "now",
                "roundUp": false
            },
            "type": "dateMath"
        },
        "value": "#if($PrevDept != $Dept)$Date#{else}9999-01-01T00:00Z#end"
    },
    "internal": false

}

Second attribute is oldDepartment. The transform logic we are using is:

{
    "name": "Old Department",
    "type": "firstValid",
    "attributes": {
        "requiresPeriodicRefresh": true,
        "values": [
            {
                "attributes": {
                    "firstDate": {
                        "attributes": {
                            "expression": "+1w",
                            "input": {
                                "attributes": {
                                    "name": "departmentChangedDate"
                                },
                                "type": "identityAttribute"
                            }
                        },
                        "type": "dateMath"
                    },
                    "secondDate": "now",
                    "operator": "lt",
                    "positiveCondition": {
                        "attributes": {
                            "name": "department"
                        },
                        "type": "identityAttribute"
                    },
                    "negativeCondition": "$oldValue"
                },
                "type": "dateCompare"
            },
            "$oldValue",
            {
                "attributes": {
                    "name": "department"
                },
                "type": "identityAttribute"
            },
            "none"
        ],
        "ignoreErrors": "true"
    },
    "internal": false
}

And we are using the oldDepartment in the Role Membership Criteria to apply the grace period for deprovisioning.

However, the issue we are getting is, everytime the departmentChangedDate is set to ‘now+1w’ date after the aggregation. How do I stop it from updating to the current date everytime we run the aggregation. This is causing the role never to be dropped.

Any advice or guidance is appreciated.

Thanks,
Nischal

Hi @nadhikari_identitynow

There are a few things that might be causing some issues in getting the desired output:

1. The use of identity attribute transform to get the values for identity attributes: Please review the documentation here, in the ‘Other Considerations’ section. You should not be using identity attribute transforms when trying to get values for identity attributes in the identity profile. Consider switching most of the direct values out with account attribute transforms, and values that in turn need transforms, switch them with reference transforms.
2. You seem to have an infinite loop-like reference between the two transforms: In your first transform, $prevDept uses oldDepartment, which is an identity attribute, which uses your second transform. This second transform is referencing departmentChangedDate, which uses the first transform.

Perhaps revisit the design for this solution and see if the addressing the above two pointers resolves your issue.