Hi ALL,
I´m looking for a script to remove a member from a group triggered by the IdentityNow Certification Feature - Revoke action.
Follow below a draft version of this script that is used by a connector rule, type “ConnectorAfterModify”:
{
"description": "AD remove member from group",
"type": "ConnectorAfterModify",
"signature": {
"input": [],
"output": null
},
"sourceCode": {
"version": "1.0",
"script": "#Script that remove a member from a group triggered by the IdentityNow Certification Feature Revoke action..."
},
"attributes": {
"ObjectOrientedScript": "true",
"extension": ".ps1",
"sourceVersion": "1.0",
"disabled": "false",
"program": "powershell.exe",
"timeout": "360"
},
"id": "3ca22acbad444043983861a633225909",
"name": "ADRemoveFromGroupAfterModifyRule",
"created": "2023-05-16T21:00:43.050Z",
"modified": null
}
This is the draft script:
#Script that remove a member from a group triggered by the IdentityNow Certification Feature Revoke action
#Include SailPoint library
Add-Type -Path \"C:\\SailPoint\\IQService\\Utils.dll\";
#Handle Account Request
function Get-AttributeValueFromAccountRequest([sailpoint.Utils.objects.AccountRequest] $request, [String] $targetAttribute) {
...
}
try {
#Begin SailPoint protected code -- do not modify this code block
$sReader = New-Object System.IO.StringReader([System.String]$requestString);
$xmlReader = [System.xml.XmlTextReader]([sailpoint.utils.xml.XmlUtil]::getReader($sReader));
$requestObject = New-Object Sailpoint.Utils.objects.AccountRequest($xmlReader)
}
$requestObject.toxml()|out-file $args[0];
#End SailPoint protected code
#Begin Client code
Import-Module activedirectory
$nativeIdentity = $requestObject.NativeIdentity
...
$distinguishedName = $requestEntry.Value;
$members = $distinguishedName | get-qaduser -service corp.int.kn
$group = \"CORP_A_GG_KNAdmins\"
Remove-ADGroupMember -Identity $group -Members $members -Confirm:$false
#End Client code
}
catch {
...
}
Note that the script is using the native AD command that remove the member from the group. This script runs by a IAM service account with the proper rights in the AD (full read/write access).
Also Note that the $group variable is fixed. The script runs properly. But how can I get the group from which I need to remove the member in the Certification Campaign?
Additionally how IDN will trigger this connector rule? Is this just include this rule in the AD source provisioning rules settings?
Thanks a lot.
BR, Andrea.