Background
In today’s dynamic business environment, managing user access and permissions is crucial for maintaining security and operational efficiency. One common challenge organizations face is handling inactive users in workgroups, especially when these users are workgroup owners. Let’s explore an innovative solution to this problem in IdentityIQ (IIQ).
Challenge
Imagine a scenario where an employee leaves the company or becomes inactive for an extended period. If this employee owns one or more workgroups, it can lead to:
- Outdated access permissions
- Lack of proper workgroup management
- Potential security risks
Solution
We’ve developed a custom workflow in IIQ that addresses this issue elegantly. Here’s how it works:
-
Identifying Inactive Users:
The workflow starts by filtering out identities with an inactive status. -
Checking Workgroup Memberships:
For each inactive identity, we iterate through their workgroup memberships. -
Handling Ownership Transfer:
If an inactive user is found to be a workgroup owner, the workflow automatically transfers ownership to the user’s manager. -
Removing from Workgroup:
After transferring ownership (if necessary), the inactive user is removed from the workgroup. -
Saving Changes:
The updated workgroup information is saved, ensuring all changes are properly recorded in the system.
Implementation
This solution is implemented as a custom rule in IIQ, which can be executed via a task or a Quicklink for on-demand processing.
Quicklink
First, we start by creating a Quicklink:
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE QuickLink PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<QuickLink action="workflow" category="Custom" messageKey="WDA Workflow" name="WDA Workflow">
<Attributes>
<Map>
<entry key="workflowName" value="WDAwf"/>
<entry key="workflowSuccess" value="Removed workgroup access for Disabled Accounts"/>
</Map>
</Attributes>
<QuickLinkOptions allowSelf="true">
<DynamicScopeRef>
<Reference class="sailpoint.object.DynamicScope" id="0a00020f89201f92818920bfe3310133" name="Everyone"/>
</DynamicScopeRef>
</QuickLinkOptions>
</QuickLink>
We save this Quicklink in xml format and import it into IIQ. Here we have saved it in the “Custom” Quicklink category. You can change the category according to your requirement.
Workflow
Next, we create a simple workflow that runs a script to remove the inactive users from workgroups and, if required, transfer the ownership:
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Workflow PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<Workflow created="1708325948619" explicitTransitions="true" id="0a00020f8da71bdf818dc0294ccb18a5" modified="1708673279635" name="WDAwf">
<Variable initializer="string:true" name="trace"/>
<Variable initializer="string:true" name="transient"/>
<Step icon="Start" name="Start" posX="35" posY="46">
<Transition to="Generic Step"/>
</Step>
<Step icon="Default" name="Generic Step" posX="209" posY="57">
<Transition to="Stop"/>
</Step>
<Step icon="Stop" name="Stop" posX="371" posY="35"/>
</Workflow>
Navigate to Setup > Business Processes and click on WDAaf, the workflow name:
Go to Process Designer > right click on the Generic step > Edit Step:
Right click on the Open Editor and paste the rule logic:
Rule Code
import sailpoint.object.identity;
import sailpoint.object.Attributes;
import java.util.List;
import java.util.Iterator;
import sailpoint.api.SailPointContext;
import sailpoint.object.Filter;
import sailpoint.object.QueryOptions;
Filter filter = Filter.eq("inactive",true);
QueryOptions qo = new QueryOptions();
qo.addFilter(filter);
List idenlist = context.getObjects(Identity.class,qo);
if(idenlist != null @and idenlist.size() > 0){
for(Identity identity : idenlist)
{
System.out.println("Iterator value is : " + identity);
String idname = identity.getName();
System.out.println("IDNAME IS : " + idname);
Boolean statusac = (Boolean)identity.getAttribute("inactive");
System.out.println("The status is inactive :" + statusac);
List wglist = identity.getWorkgroups();
System.out.println("Workgroup List size : " + wglist.size());
List removeworkGroupList=new ArrayList();
for(Identity W : wglist){
System.out.println("Workgroup : " + W.toXml());
String workgroupname=W.getName();
System.out.println("Workgroup Name is: " + workgroupname);
Identity wowner = W.getOwner();
String wownername = wowner.getName();
System.out.println("Workgroup Owner is: " + wownername);
if(idname.equalsIgnoreCase(wownername))
{
System.out.println("Entered the Loop");
Identity manager = identity.getManager();
if (manager != null) {
W.setOwner(manager);
System.out.println("Inactive account was owner of the workgroup so the ownership has been transferred to their owner :" + identity.getManager().getName());
} else {
Identity spadmin = context.getObjectByName(Identity.class, "spadmin");
if (spadmin != null) {
W.setOwner(spadmin);
context.saveObject(W);
context.commitTransaction();
System.out.println("The identity " + idname + " doesn't have a manager assigned. Ownership transferred to spadmin.");
} else {
System.out.println("The identity spadmin does not exist. Ownership transfer failed.");
}
}
}
removeworkGroupList.add(workgroupname);
}
System.out.println("Remove WorkGroup List."+removeworkGroupList);
for(String wname : removeworkGroupList)
{
Identity workGroupObject=context.getObjectByName(Identity.class,wname);
identity.remove(workGroupObject);
context.saveObject(identity);
context.commitTransaction();
System.out.println("Removed the workgroup");
}
}
}
return "success";
Code Logic
- Filter and fetch inactive identities:
- A filter for
inactive = trueis applied to fetch inactive identities usingcontext.getObjects().
- A filter for
- Process each inactive identity:
- Loop through each inactive identity:
- Retrieve the identity’s name and status.
- Get the list of workgroups assigned to the identity.
- Loop through each inactive identity:
- Workgroup ownership transfer:
- For each workgroup:
- If the identity owns the workgroup, transfer ownership to the manager or to
spadminif no manager exists.
- If the identity owns the workgroup, transfer ownership to the manager or to
- For each workgroup:
- Remove workgroups:
- Remove the workgroups from the identity and commit the changes.
- Return success:
- After processing, return “success”
Benefits
-
Automated Cleanup:
No manual intervention required to manage inactive users in workgroups. -
Seamless Ownership Transfer:
Ensures continuity in workgroup management by transferring ownership to the manager. -
Enhanced Security:
Reduces the risk of unauthorized access through outdated permissions. -
Improved Compliance:
Helps maintain accurate access records, crucial for audits and regulatory compliance.
Best Practices
-
Regular Execution:
Schedule this workflow to run periodically to catch any recent changes in user status. -
Audit Trail:
Implement logging to keep track of ownership transfers and membership removals. -
Notification System:
Consider adding notifications to inform managers of their new workgroup ownership responsibilities.
Conclusion
By implementing this automated solution, organizations can significantly improve their identity governance processes. It not only saves time and reduces manual errors but also enhances overall security posture. As businesses continue to evolve, such smart, automated workflows will become increasingly crucial in managing complex identity landscapes efficiently.
Remember, the key to successful identity management lies in proactive measures and intelligent automation. This use case is just one example of how we can leverage IIQ to address real-world challenges in access governance.