We want to remove roles assigned via Access Request when the user gets terminated.
The roles has AD groups along with other entitlements. When the user is terminated his/her AD account moves to De-Provisioning OU. Until the AD account aggregation completes IDN cannot see the updated OU.
We initially tried using workflow with identity attribute change (cloudlifecycle) as the trigger and manage access steps to remove the roles. Roles would be removed but IDN is not able to remove the AD groups assigned by the roles because AD account is already moved to de-provisioning OU.
We are looking for a better approach to fix this which is remove the roles and the access assigned by the roles especially the AD groups. We also need the audit of removing groups in IDN.
If anyone has better solution can suggest here. The key thing is AD account need to move to de-provisioning OU, roles need to be removed and AD groups assigned by the roles.
We do not want to hard code the AD group names in BP rule.
Also, what is the action that moves the user to a different OU? If you’re using a ConnectorAfterModify rule to do that, just do the AD group removals in PowerShell. That’s what we do.
This was one of the option but the problem with this is, we need to hard code all the groups that were assigned using roles.
User can have some groups which can stay when the account is terminated. We do not want to hardcode any groups in BP rule.
Is it possible to identify the groups which are assigned by roles via access request and make if future proof without hardcoding group or role or source names?
In your original post you mentioned the below quoted phrase. Were you removing all the ROLEs from the user or just the ones assigned via Request Center?
Thanks for the suggestion.
Yes as I mentioned in my original post we are using workflow to remove Roles which an Identity has during termination. Based on the Roles concept if the role is assigned via access request then they can be removed either by cert or by requesting them to remove via access request again.
For roles assigned via assignment criteria they would get removed automaticaly as the criteria will not match once the identity is terminated.
So, we used workflow to remove roles which are assigned by access request. The groups assigned by these roles has some memberOf (groups) of AD. That we are removing by hard coding the names in beforProv rule. Now we do not want to do this becuase there are lot of groups to be removed and this is not a good way as there is lot of maintenance activity. Hence we are re-evaluating this design and wanted to check if there is a better approach to remove the groups.
Hey Uday,
Did you check the latest update on AD connector ? It does aggregate the user after the OU is moved OOTB.You dont need to run any aggregation now. Do you still get the error in Workflow when you are trying to remove groups as per your initial design ?
The Active Directory connector now instantly returns the Resource Object to IdentityNow on any OU changes done by the AC_New Parent, which can be further utilized to any rule to work with the updated Resource Object data values.
We built something similar for a client. We used the workflow approach you started with:
trigger on lifecyclestate change, then get access, then manage access
You can add a ‘wait’ step between the trigger and get access steps. This will give the account enough time to move to the deprovisioned OU, and your get access step should now return the correct DN for the AD account.
You will have to move the AD account using AC_NewParent (if you’re moving the account via powershell, this won’t work).
We have already took care of OU movement in the rule. Yes we are testing a sample workflow with wait step of 5 mins.
What we are observing during our testing is some of the criteria based Role are not being removed when the criteria is not matching. Looks like a bug we need to deal seperately with SailPoint.