Run the account provisioning in batches

Identity Security Cloud (ISC) ISC Discussion and Questions
,
1

Hi team,

Could you please let me know, some of the ideas to run the account provisioning in batches like 50, 100 and then increase exponentially. We don’t want to push the solution to all the identities together

Thanks,

Seema

Please consider addressing the following when creating your topic:

  • What have you tried?
  • What errors did you face (share screenshots)?
  • Share the details of your efforts (code / search query, workflow json etc.)?
  • What is the result you are getting and what were you expecting?
2

Hi Seema,

Good question — this is something we’ve had to plan carefully as well.

From what I’ve seen, a common approach is to control this outside of provisioning itself by selecting identities in batches. For example, you can use filters (like department, region, or a custom attribute) to target a smaller set of users first, validate the results, and then gradually expand.

Another option is to use a flag or attribute on identities (like “readyForProvisioning”) and update it in phases — first for 50 users, then 100, and so on. This gives you more control over the rollout.

In some cases, people also trigger provisioning via workflows or tasks where they can control the input population in batches.

Just curious — are you planning to do this during an initial rollout or as part of a recurring process?

Thanks!

3

Hi @seemarani

First of all, it’s a wonderful question. Can I know what the target source is?

You can run the account provisioning in batches if it’s an access request.

  • Get the ID of the identities that you want to do by batches
  • Either use an search query of employeeID/clockID and in column chooser select ID
  • Then download the report and convert the ID value within double quotes.
  • Like this "3bg45356fcjahrywy28"
  • Then use `Submit Access Request an API to request the role that has the entitlement that will be provisioned to the target source.
  • In the body of the request, send the Role ID and Identity ID that you have in the CSV file and send the request for the first 50 users.
  • You can do this by batches, and user will get the accounts on their target source (i.e AD, Entra, Webservice)

Examples

  1. Search Query to generate report

image
image1888×778 62.3 KB

image
image1829×832 48.3 KB

  1. Concatenate the double quotes on the ID column using the below formula

    image
    image973×410 23.3 KB

  2. Go to Postman and paste the Role ID and Identity ID in the Submit Access Request API body and type as ROLE

image
image1427×1015 55 KB

LMK if this helps.

4

Thanks for the input, just to give clear idea, we are using the criteria based role to provide access to AD, Entra and Okta. We would like to use this role. I thought of using some attribute and process accordingly, but that attribute giving me the identities in thousands. I would like to process randomly 50, 300 etc. After this is done, we have to remove this attribute, which we used for processing in batches without impacting the existing users in the role and also the future provisioning as per the criteria

5

Can I know what the auth source is?

6

I wouldn’t go for creating Identity attribute for batch provisioning.

Pull the reports and analyze the criteria to have least number of users for initial batch provisioning.

I am not sure the reason behind your batch provisioning, to make sure everything is correct ? or the load to the application ? or the business requirement ?

7

This is a business requirement to control the number of account provisioning, as we are changing the initial process of account provisioning by controlling the flag value at workday auth source, now they planning to remove this, so all identities will be getting created in ISC, that is fine, but AD account provisioning should limit or control for the initial load to verify the result

8

If it is just to verify the result then

I would go for 1 criteria alone to restrict the users, as I have mentioned already take only one department (or any other attribute based on your criteria requirement) which has less users.

Once verified, It is just adding some more OR conditions.

9

I’m also looking for any attribute, which I can use for less population classification. Thanks I’ll check with the team on the attribute to be used.