Services Standard Before Provisioning Rule: Multiple event triggers

Identity Security Cloud (ISC) ISC Discussion and Questions
,
1

Hello team,

I am wondering if anyone has tried to use the beforeProvisioning rule with multiple event triggers for a given set of actions.

Use Case: Upon termination, we need to handle a given set of users in Active Directory differently than the rest of the population. There are about 20 users who are in a specific OU, and when they reach the ‘terminated’ LCS, they need to go to a different termed OU than everyone else. My thought process is that in the beforeProvisioning rule, we could use two event triggers to separate these folks from the rest. One of the triggers will be when the user reaches the terminated LCS, and the other trigger would be if they have a specific attribute that each person has in this special OU. The second attribute could be department, distinguished name, etc, but the exact attribute doesn’t matter at this point.

Example for one set of actions for the special population:

“Identity Attribute Triggers”: [
{
“Attribute”: “cloudLifecycleState”,
“Value”: “terminated”,
“Operation”: “eq”
},
{
“Attribute”: “OrgName”,
“Value”: “Finance”,
“Operation”: “eq”
}
],
“Operation”: “Disable”

{
“eventActions”: [
{
“Action”: “ADMoveAccount”,
“Attribute”: “AC_NewParent”,
“Value”: “OU=Terminated,OU=Terms,…DC=com”
},
{
“Action”: “RemoveADEntitlements”,
“Attribute”: “memberOf”,
“Value”: “CN=Domain Users,CN=…”
},
{
“Action”: “ScramblePassword”,
“Attribute”: “password”,
“Value”: null
},

Then we would use something like this for the rest of the population:

“Identity Attribute Triggers”: [
{
“Attribute”: “cloudLifecycleState”,
“Value”: “terminated”,
“Operation”: “eq”
},
{
“Attribute”: “PrimaryOrgName”,
“Value”: “Finance”,
“Operation”: “ne”
}
],
“Operation”: "Disable

Has anyone tried this or know if it works? Our other option would be to adjust our LCS transform to put the special users into a different LCS and use the new LCS as the Identity Attribute Trigger.

Any help is greatly appreciated. Thanks!

2

Identity Attribute Triggers added are checked with an AND between them, which means the event actions are applied only when all the conditions are met. Based on this your approach should work

2 Likes
3

I have used multiple triggers in my implementation and I can tell you having multiple triggers works well. I have only used 2 triggers but I don’t see why more than 2 wouldn’t work.

1 Like
4

Affirmative, thanks for the reply. I’ll do some more testing and report back with my findings. Thanks again!

Update: Got it to work as expected! Thanks everyone.

5

Sounds great, thanks for the response!

6

Just as an alternative option. You could have defined the AC_NewParent as an identity attribute (disabledOU) and applied a transform to that for your two use cases.
Then in the Rule:

{
"Action":"ADMoveAccount",
"Attribute":"AC_NewParent",
"Value":"#{identity.disabledOU}"
}

Might be a simpler way of achieving the same result

3 Likes