Retain Active Directory access for specific period in days

Identity Security Cloud (ISC) ISC Discussion and Questions
, , ,
1

Hello ISC members

Greetings!

Current process:

  1. We are sending reminders to the manager before termination date of the users.
  2. Along with the reminder we are also raising servicenow ticket if manager want to retain mailbox for specific dates like 30 /60 /90 days.
  3. If manager selects the retention date (like 30 days) from termination date, manual LCS is set for 30 days and AD account remain active.
  4. Post 30 days LCS changed from manual to automated LCS by SailPoint admin.

Requirement:

  1. When manager updates the ticket, automatically retention days should be updated to identity attribute.
  2. On termination date, AD account should not be disabled and manual LCS should be automatically set.
  3. After 30/60/90 (as set by manager) AD account should be disabled and LCS should be changed from manual LCS to automated LCS (this must be automated).

Note: LCS calculation transform is currently setting up the automated values. Manual LCS is set by sailpoint admin when we have a such requirement to retain AD access for specified period of time.

Please help me to achieve this requirement.

Thanks for reading this long post.

2

Hi @manan7108 I think you may be able to acomplish your goal with the high level steps below:

  1. This should be partially on you and on the SNOW team to modify the flow of the SNOW ticket.
    1. Create a small workflow that will has a parameter for the # of days and uses that to update the identity attribute. Have the SNOW team update their ticket to make a REST call to ISC that executes that workflow and passes the value selected by the manager. I’ll refer to the idnetity attribute as extendedTerminationDate
  2. On your identity profile create a new lifecycle state like “pre-term” or “term-ad-active”, or use the “manual” lifecycle state if it is set up the way you want. The LCS calculation transformation can be modified to set this state automatically if, for instance, termination date is passed and the user has a value of 30days in the extendedTerminationDate. A cleaner way may be to use the workflow above to calculate the termination date + 30 days and set that as a new date in this field instead.
  3. Update the LCS workflow to calculate that is an identity is in the manual or new termination lifecycle state and the extendedTerminationDate attribute date is in the past then it moves them to the full termination date lifecycle state and the AD account is disabled.