Sequential Provisioning Discussion

sjoyee · October 17, 2023, 3:51am

Hi all,

We have configured the role criteria as suggested in this discussion to achieve the sequential provisioning: Birthright Provisioning Scenario where it should be applied based on sequence: Role A → Role B → Role C The configuration is working however sometimes, Role C is not applied, and can only be attached to the identity after the next identity refresh task. We would like to request input on how to ensure all roles will be applied in a single aggregation.

We have raised customer support ticket and few possibilities are suggested by the support team:

Workflow
Rule After Provisioning
Event Triggers

The current way will be triggering identity refresh task via API after the provisioning is done. Appreciate any input on this and which way should be the most preferable.

Thank you.

ethompson · October 17, 2023, 5:13am

What criteria are you using on Role C that relies on prior provisioning to occur?

If the criteria is just looking for if an account was created, this should occur immediately and can be handled via a transform. If you are looking for a particular attribute that takes time to populate, this may not be read until the next account aggregation.

sjoyee · October 17, 2023, 5:55am

Hi Edward,

Thank you for the response. Role B depends on provision of account on source A (fulfil Role A), and Role C depends on provision of account on source B (fulfil Role B).

So does this enter into the second scenario you were saying?

MVKR7T · October 17, 2023, 11:11am

Hi @sjoyee

As per my knowledge, When an Identity is Refreshed,

Role will be assigned → Account Provisioned → Single Account Aggregation → Refresh (Again)

So the process repeats.

You mentioned, Role C is not assigned sometimes but not every time rite. Maybe 2nd account was not created successfully or not yet reflected in IDN ?

I would like to know what conditions you used in Role assignment, is it entitlement from source or some attribute in a source ?

Let us try to fix the issue in RBAC, if not then we can look on Workflows. BTW there is no After Provisioning Rule in IDN.

Thanks
Krish

sjoyee · October 17, 2023, 11:30am

Hi Krishna,

Yes, we are using account attribute as Role C criteria. From what I understand from your response, is it correct to say that any identity attribute update will trigger identity refresh.

If yes, then we can include an identity attribute as a condition in Role C criteria.

Thank you.

MVKR7T · October 17, 2023, 11:35am

Ya we can replicate the issue, before that please confirm on below queries.

Role B is assigning after Role A, for all the times ?
Role C is not getting assigned after Role B assigned, sometime or all the times ?
What are the 3 connectors you are using in order ?

sjoyee · November 22, 2023, 7:54am

Sorry for the late update. After including identity attribute as a condition in Role C criteria, the sequential provisioning is working. Thank you all for the assistance!

system · January 21, 2024, 7:55am

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Deprovisioning role in IDNow through workflow ISC Discussion and Questions workflows , identity-security-cloud , roles	6	1542	July 19, 2023
Role RBAC runtime ISC Discussion and Questions identity-security-cloud	3	164	January 22, 2024
Single Valued Entitlement Issue ISC Discussion and Questions entitlements	9	664	July 19, 2023
How to enable "Provision Assignments refresh option" IIQ Discussion and Questions identityiq , provisioning	9	368	December 8, 2023
Enabling Accounts In Sequence ISC Discussion and Questions identity-security-cloud	2	74	March 5, 2024

Sequential Provisioning Discussion

Related Topics