Remove AD groups

Hello experts,

I’ve a uses case with a specific requirements, let me explain you with further details: When an identity change his lifecycle status to movers, IDN automatically should remove all the entitlements assigned to the user for each account that the user has, for example, if the identity has two account, one AD account and one ServiceNow account, IDN should remove all the groups existing on his memberOf except the domain user group, and the same for servicenow.

Any idea how I can do this? I guess is needed a beforeprovisioning rule.

Regards,
Beatriz.

Hi,

Yes you need before provisioning rule

Hey @Beatriz ,

Lets assume that your provisioning is happening through RBAC and you have a criteria defined which says “cloudLifecyclestate = active”, only then the access is provisioned. Now, when a lifecycle change is triggered, lets say to “inactive” state,
in this case IDN will automatically remove the entitlements given through that role because the user will not satisfy the criteria “cloudLifecyclestate != active”

Next, from what I understood is that you want to retain domain users group for AD & ServiceNow. If that’s the case, you need to write a beforeProvisioningRule on both your AD & ServiceNow sources.

Try building the rule logic something like this:

  • Declare the Domain users group DN to a string variable, lets say “Domain_DN”

  • Iterate through your provisioning plan

  • Get your accountRequest operation and check if it is a Modify/Disable operation. Only then, proceed with the next and add the below statements:

AttributeRequest attreq = new AttributeRequest( “memberOf”, ProvisioningPlan.Operation.Set, Domain_DN );
accountRequest.add( attreq );

Similary, for ServiceNow, modify the logic according to your ServiceNow group assignment methodology.

Once the rule is deployed onto the tenant, patching can be done to the source attribute

/connectorAttributes/beforeProvisioningRule/“<Rule_Name”

Hope this helps.
Thanks!

Regards,
Arshad.

1 Like