Standard service before provisioning rule for AD OU move during identity attribute change

Shonnegowda · April 18, 2024, 4:07pm

I’m planning to use Standard service before provisioning rule for AD OU move during identity attribute change but looks like we can just have static value and not able to see the use case, if any changes happened to that identity attribute. Does it mean, we can’t use this for OU move and go with individual before provision rule? I’m trying to use during modify operation, not during disablement.

Identity Attribute Triggers: This checks if the user being modified matches a specific value for an Identity attribute
Configured with a separate key “Identity Attribute Triggers” which is a list of attribute conditions to match
Each match will have an attribute, an operation, and a value.
“Identity Attribute Triggers”:[
{
“Attribute”:“cloudLifecycleState”,
“Operation”:“eq”,
“Value”:“inactive”
},
{
“Attribute”:“employeeType”,
“Operation”:“ne”,
“Value”:“Employee”
}
]
Supported attributes are any attributes available on the Identity
Supported operations
eq: signifies the attribute for the user matches the value
ne: signifies the attribute for the user does not match the specified value
Supported value is Java String based matches. This will support static values or wild card values using the * for any character or
? for a single character (e.g. test_equals matches “test_equals” or “test_*” or “test?equals”). The following will be treated as a
null value
the key word #{null} : “Value”:”#{null}”
an empty string : “Value”:””
null entry : “Value”:null

jesvin90 · April 18, 2024, 4:36pm

Hi @Shonnegowda,

The before provisioning rules just alters the provisioning plan before sending it to the connector. The trigger can be Create, Enable, Disable or Modify operation on the account. So you basically need a provisioning event to trigger your OU move.

If you are doing an attribute sync to AD on an AD attribute (eg. EmployeeStatus value as inactive) you can use something as below to make the OU move.

{
                    "eventActions": [
                        {
                            "Action": "ADMoveAccount",
                            "Attribute": "AC_NewParent",
                            "Value": "OU=Disabled,DC=tst,DC=tst,DC=net"
                        }
                    ],
                    "Identity Attribute Triggers": [
                        {
                            "Attribute": "cloudLifecycleState",
                            "Value": "inactive",
                            "Operation": "eq"
                        }
                    ],
                    "Account Attribute Update Triggers": [
                        {
                            "Attribute": "EmployeeStatus",
                            "Value": "inactive",
                            "Operation": "eq"
                        }
                    ],
                    "Operation": "Modify"
                }

Note : Even though it is named as Identity Attribute Triggers, they are not actually triggers they are just Identity filters.

Shonnegowda · April 19, 2024, 6:35am

@jesvin90 I’m looking for AD move whenever there is country change happens, so I’m not really sure, how I can pass the value to trigger to verify the country identity attribute change. The document only shows about the static value in the trigger as you have given in the example.

jesvin90 · April 19, 2024, 7:02am

Hi @Shonnegowda,

Are you syncing the country name to AD.? If so, you can make it as the Account attribute trigger and invoke the rule to make the AD OU move.

Shonnegowda · April 19, 2024, 12:49pm

Yes we are syncing it. You mean we can use it as below?

“Account Attribute Update Triggers”:[
{
“Attribute”:“co”,
“Operation”:“eq”,
“Value”:“*”
}
]

jesvin90 · April 19, 2024, 12:52pm

Yes, something like this should work

              {
                    "eventActions": [
                        {
                            "Action": "ADMoveAccount",
                            "Attribute": "AC_NewParent",
                            "Value": "OU=Disabled,DC=tst,DC=tst,DC=net"
                        }
                    ], 
                    "Account Attribute Update Triggers": [
                        {
                            "Attribute": "co",
                            "Value": "*",
                            "Operation": "eq"
                        }
                    ],
                    "Operation": "Modify"
                }

Shonnegowda · April 19, 2024, 12:54pm

@jesvin90 Can I pass the dynamic country inside the value as below
{
“eventActions”: [
{
“Action”: “ADMoveAccount”,
“Attribute”: “AC_NewParent”,
“Value”: “OU=Users,OU=#{identity.companyCountryCode},OU=Countries,DC=tst,DC=tst,DC=net”
}
],
“Account Attribute Update Triggers”: [
{
“Attribute”: “co”,
“Value”: “*”,
“Operation”: “eq”
}
],
“Operation”: “Modify”
}

jesvin90 · April 19, 2024, 1:21pm

Yes, if companyCountryCode is your identity attribute, you can pass it dynamically.

Shonnegowda · April 19, 2024, 1:23pm

@jesvin90 Thanks for the input. I’ll test this out

Shonnegowda · April 19, 2024, 1:42pm

One more quick clarification. If we using account update trigger with value as “". can’t we use the same in identity attribute trigger as well? This is not going to work for updates?
{
“eventActions”: [
{
“Action”: “ADMoveAccount”,
“Attribute”: “AC_NewParent”,
“Value”: “OU=Users,OU=#{identity.companyCountryCode},OU=Countries,DC=tst,DC=tst,DC=net”
}
],
“Identity Attribute Triggers”: [
{
“Attribute”: “countrycode”,
“Value”: "”,
“Operation”: “eq”
}
],
“Operation”: “Modify”
}

jesvin90 · April 19, 2024, 1:50pm

This will not work.

Identity Attribute Triggers are not actual triggers. They are just filters on Identity attributes.

It is used to limit the triggering of this event to Identities matching a specified criteria.

eg. if you want the above trigger to work only for active users, you can have something as below:

"Identity Attribute Triggers": [
                        {
                            "Attribute": "cloudLifecycleState",
                            "Value": "active",
                            "Operation": "eq"
                        }
                    ],

So the rule will not apply for inactive users having a country change.

Shonnegowda · April 23, 2024, 12:26pm

@jesvin90 This worked both for OU move and also using dynamic value population inside the value. Thanks for the input

system · June 22, 2024, 12:27pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
AD account moves using standard before provisioning rule ISC Discussion and Questions transforms , rules , identity-security-cloud , provisioning	2	293	June 22, 2024
AD before provisioning rule to move OU on disable ISC Discussion and Questions identity-security-cloud	1	1280	July 19, 2023
Services Standard Before Provisioning Rule: Multiple event triggers ISC Discussion and Questions rules , identity-security-cloud	6	209	August 12, 2024
How to modify Identity Attribute value in Standard Before Provisioning Rule? ISC Discussion and Questions identity-security-cloud , provisioning	5	86	November 1, 2024
Services Standard BeforeProvisioning Rule ISC Discussion and Questions rules , identity-security-cloud , provisioning	5	194	August 16, 2024

Standard service before provisioning rule for AD OU move during identity attribute change

Related topics