Script to remove a member from a group - Certification Feature

Hi ALL,
I´m looking for a script to remove a member from a group triggered by the IdentityNow Certification Feature - Revoke action.

Follow below a draft version of this script that is used by a connector rule, type “ConnectorAfterModify”:

{
    "description": "AD remove member from group",
    "type": "ConnectorAfterModify",
    "signature": {
        "input": [],
        "output": null
    },
    "sourceCode": {
        "version": "1.0",
        "script": "#Script that remove a member from a group triggered by the IdentityNow Certification Feature Revoke action..."
    },
    "attributes": {
        "ObjectOrientedScript": "true",
        "extension": ".ps1",
        "sourceVersion": "1.0",
        "disabled": "false",
        "program": "powershell.exe",
        "timeout": "360"
    },
    "id": "3ca22acbad444043983861a633225909",
    "name": "ADRemoveFromGroupAfterModifyRule",
    "created": "2023-05-16T21:00:43.050Z",
    "modified": null
}

This is the draft script:

#Script that remove a member from a group triggered by the IdentityNow Certification Feature Revoke action
#Include SailPoint library
Add-Type -Path \"C:\\SailPoint\\IQService\\Utils.dll\";

#Handle Account Request
function Get-AttributeValueFromAccountRequest([sailpoint.Utils.objects.AccountRequest] $request, [String] $targetAttribute) {
...
}

try {
#Begin SailPoint protected code -- do not modify this code block
$sReader = New-Object System.IO.StringReader([System.String]$requestString);
$xmlReader = [System.xml.XmlTextReader]([sailpoint.utils.xml.XmlUtil]::getReader($sReader));
$requestObject = New-Object Sailpoint.Utils.objects.AccountRequest($xmlReader)
	
}

$requestObject.toxml()|out-file $args[0];
#End SailPoint protected code

#Begin Client code
	Import-Module activedirectory
	$nativeIdentity = $requestObject.NativeIdentity
...
$distinguishedName = $requestEntry.Value;	
$members = $distinguishedName | get-qaduser -service corp.int.kn
$group = \"CORP_A_GG_KNAdmins\"

Remove-ADGroupMember -Identity $group -Members $members -Confirm:$false

#End Client code
}
catch {
...
}

Note that the script is using the native AD command that remove the member from the group. This script runs by a IAM service account with the proper rights in the AD (full read/write access).

Also Note that the $group variable is fixed. The script runs properly. But how can I get the group from which I need to remove the member in the Certification Campaign?

Additionally how IDN will trigger this connector rule? Is this just include this rule in the AD source provisioning rules settings?

Thanks a lot.
BR, Andrea.

Perhaps I’m not fully understanding the ask, but is it not an out of box feature to remove someone from an AD group when their access is revoked from a certification?

Or are you saying you’d like to remove someone from a different group when they’re revoked from one specific group? Clarification would help

Hi @AndreaQueiroz50
what should we pass in $args[0] from the bleow line
$requestObject.toxml()|out-file $args[0]

With the risk of repeating what Mark sad above:
I also think you need to clarify what you want to do exactly.
If you do a certification and revoke one or more entitlements they will be removed from AD already OOTB and hence making the script you refer to obsolete.
Also first you state that $group is fixed but then you say you want to get the group which user should be removed from, this strengthens the feeling that you simply want to remove the groups that the certification should already take care of.

Regarding the last question this is a aftermodify rule meaning it will execute after every single time there is an modification of an account. This means if you simply changed an attribute, lets say firstname on the AD account it will execute or if lets say user requested group X and it is provisioned, it will also execute this which is definitely not what you want.
You probably need to add some if statements to only do this under certain conditions. And yes to start using the rule, you add it to the source according to the documentation here:

Regards

Hello Mark, Narendra and Jesper,
thanks for the responses and sorry the delay in my response.

I don´t want to remove someone from a different group, but I want to remove someone from an AD group when their access is revoked.

@Mark and @Jasper are you stating that the Certification feature will handle the remove and that I don´t need to have any rule in place for that operation as the own Certification feature will take care of the removal, is that correct? If so, then I will test it soon without any additional rule for that.

However, during the last month, the use case requisite changed and now I have Quest Active Roles in the scenario.

The Quest Active Role command for removing an account member from a group is:
Remove-QADGroupMember -Identity $group -Member $members -Control $control -Proxy

Since IDN needs to send a request to Active Roles after the Certification Campaign signoff, I had to create a rule for removing member(s) from group(s) when their access is revoked. This rule is using the QAR command above and is quite working for N groups (the group is not fixed anymore). @Jasper, I also added this rule to the source.

This rule is working as expected, so it is removing the members from groups in both Active Roles and Identity Now sides. Since there is an approval workflow configured at the AR side, the IAM service Account sends the request to the Active Roles and that request needs to be approved or rejected. Once approved then in the next IDN source aggregation, the group(s) is removed from the account.

The problem I am struggling now is regarding to the proper access rights and AR roles configuration to allow the IAM Service Account to be able to remove any group type/Scope from the AD.

I am not sure if this approach is the best one for AD Certification Campaigns, I mean using Quest Active Roles instead of Native Active Directory, but I need to continue trying with this approach as the company is using Quest Active Roles mainly to handle the administrative accounts. However I need to make the Certification of these accounts via IDN because Quest Active Roles doesn´t have Certification Campaigns feature.

Hope my post was clarified.

Following this theme, soon I will need to create governance groups to certify the Campaigns. And these governance groups members should be read from the entitlement owners, so from the AD groups owners. How are you currently handling AD Certification Campaigns in terms of the certifiers/reviwers? Do you have AD governance groups? If so, how do you create them, manually or automatically via some script? And how are handling the governance groups? I am struggling with this point as only the Org Admins can handle the governance groups. In my organization we are a little group we can´t have the responsability to maintain the governance groups changes in our side. Any thoughts? I can move this to a new topic if you consider appropriated.

Thanks again!

Adding ActiveRoles as a middle man between IDN and AD seems like a complexity that’s not needed. We also have ActiveRoles but since we have said IDN is our identity governance tool, it’s fine for it to interact with AD directly.

Hi Mark,
I agree but this out of me this decision.
Anyway I will do a POC with the original idea that was use IDN and AD native.
Could you please confirm that you don´t have any script or additional API configuration to be able to remove accesses from AD?
And if you don´t mind to respond, are you using governance groups as the certifies? And so were these created manually or some how automatically?
I wonder because in the Certification feature we can only select the options Manager, Individual and Governance Group. We don´t have Group Owner as option

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.