Our requirement: When the LCS chnages from Active to Terminated, the AD groups assigned via access request should be removed & a terminated group needs to be set along with disabling the Active Directory account and move the account to disabled OU
I am using SSI Before provisioning rule for this requirement. Disabling & moving the account to disabled OU is working and also terminated OU group is getting assigned to the account but it is not removing the AD entitlements requested via access request (Role)
Below is my configurations:
“beforeProvisioningRule”: {
“type”: “RULE”,
“id”: “*****************************************************”,
“name”: “Services Standard IdentityNow BeforeProvisioning Rule”
},
“beforeProvisioningRule”: “Services Standard IdentityNow BeforeProvisioning Rule”,
“cloudServicesIDNSetup”: {
“eventConfigurations”: [
{
“eventActions”: [
{
“Action”: “ADMoveAccount”,
“Attribute”: “AC_NewParent”,
“Value”: “OU=Disabled Accounts,DC=**************************”
},
{
“Action”: “UpdateAttribute”,
“Attribute”: “description”,
“Value”: “DISABLED”
},
{
“Action”: “UpdateAttribute”,
“Attribute”: “manager”,
“Value”: null
},
{
“Action”: “UpdateAttribute”,
“Attribute”: “mail”,
“Value”: null
},
{
“Action”: “UpdateAttribute”,
“Attribute”: “extensionAttribute4”,
“Value”: “#{identity.endDate}”
},
{
“Action”: “RemoveEntitlements”,
“Attribute”: “memberOf”,
“Value”: null
},
{
“Action”: “RemoveADEntitlements”,
“Attribute”: “memberOf”,
“Value”: “CN=***********************************”
},
{
“Action”: “ScramblePassword”,
“Attribute”: “password”,
“Value”: null
}
],
“Identity Attribute Triggers”: [
{
“Attribute”: “cloudLifecycleState”,
“Value”: “terminated”,
“Operation”: “eq”
}
],
“Operation”: “Disable”
}
]
},
All the other attributes are getting set properly expect removal of AD groups that is assigned via access request.
Am I missing anything here. Please suggest.
