Stop AD account creation

Pabka · September 6, 2024, 10:25pm

We have 2 Authoritative sources for employee and contractor. After contractor conversion to employee, new record gets in employee source for same converted contractor (as regular employee now) with entire new attributes value and we set 2 attributes value

“converted” =1 if it is a converted identity or converted=0 if it is not.
“OldID”= old contractor ID

AD account is created when Life Cycle state (LCS) is active and is configured.

The requirement is not to create AD account for converted identity and transfer old access from Old Identity Profile to new Identity Profile.
—> Manual CSV correlation should transfer the identity details and access if I am not wrong.
—> To stop AD account creation, I believe “beforeProvisioning Rule” doesnt support event stop. It only modify/update. Please correct me if I am wrong.

Is there any solutions regarding this like from workflow (Identity created trigger??)

shaileeM · September 7, 2024, 10:05pm

Hi Pabitra,

For Manual CSV correlation, you can use this API - update-account | SailPoint Developer Community with PATCH operation to set the new identityId on the AD account.

For this, you can create a workflow. Here is a high-level idea:
a. Step 1 - Identity Created → Get the identity created with converted=1
Attribute to filter - converted equals 1
b. Step 2 - Get List of Identities → Get all identities that matches the OldID of the created identity
Search Query - attributes.OldID.exact:{{$.trigger.attributes.OldID}}
c. Step 3 - Get Identity → Get the old contractor identity
Identity - $.getListOfIdentities.identities[0].id
d. Step 4 - Get Accounts → Get all accounts of the contractor identity
Account Selection Method - By Identity
Accounts by Identity - $.getIdentity.id
e. Step 5 - Define Variable → To store the id of the Contractor AD account
Create a new variable called ADID and set the type as Attribute with - $.getAccounts.accounts[?(@.sourceId=='yourADsourceId')].id
f. Step 6 - HTTP Request → Call update-account API to patch the identityId of AD account to newly created Identity’s ID.
Request URL - https://<tenant>.api.identitynow.com/v3/accounts/:{{$.defineVariable.ADID}}
Method - PATCH

Request Body - 
[
    {
        "op": "replace",
        "path": "/identityId",
        "value": {{$.trigger.identity.id}}
    }
]

g. Step 7 - End

You can also use Source Account Created trigger Triggers - SailPoint Identity Services with a suitable filter on converted in Step 1.

Along with this, you will have to ensure that the correlation logic/configuration on AD source is such that it shouldn’t correlate the AD account back to the contractor identity again next time the unoptimized aggregation is ran on AD source.

To stop the AD account creation when the conversion happens - you can use the converted attribute in the AD role assignment criteria such the AD role is assigned to the identity (which also triggers AD account creation if it doesn’t exist) only when converted flag is not 1

HTH

Thanks,
Shailee

Pabka · September 19, 2024, 10:51pm

Thanks for the solution.

system · November 18, 2024, 10:51pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.