When a employee leaves our organization they are moved to an Inactive lifecycle state. One of our sources Microsoft Azure is treated a little differently, it is no deactivated like our other sources, it remains active so that the employees manager can access their email. But we are having trouble triggering a rule that will launch the powershell script to when the account moves to an Inactive state. Currently I can set it up to trigger when the account is modified, and then have the powershell script check what lifecycle state the user is in. But is there a better way to launch the rule when the account is moved to inactive but the source is not deactivated?
Hi @MGainer
Welcome to SailPoint Developer Community.
1. How about using AD source
- When user LCS moves to inactive, I guess you disable AD account, then you can trigger Powershell script for Azure stuff using Connector After Modify Rule.
2. With Azure AD Source
- Do you have any attribute like description in your Azure AD Source, if yes then you can set some value to it when user LCS becomes inactive.
- Create an Identity attribute Azure Description, Use Transform to set some value based on LCS.
- Use this Identity attribute in your Azure source
- This will enable you attribute sync
- Use Connector After modify Rule for your Azure source
– Krish
1 Like
Hi @KRM7,
What I was really looking for was another way to trigger a rule besides the Connector After Modify Rule. The Modify rule has its limitations for instance an account can be modified for various reason, so the script could be triggered when the user received additional access, or changed roles. When the account request is received can additional information be sent from Sailpoint to determine what type of modify request is being generated?
Yes, Connector After Modify Rule will trigger for all changes to user account.
- Connector After Modify Rule should not have any logic in it, it just triggers a PowerShell script in your IQ Service server.
- Your PowerShell script should have the logic
- You get the Account Request, check what are all the attribute requests
- If conditions are satisfied, execute whatever you need to
Apart from Native Rules, there is no other way. This is not the end.
Look at Privilege Task Automation (PTA), new feature announced couple of weeks back. need to see if we can trigger PowerShell scripts using PTA Workflows.
Hi @MGainer,
You can actually have a logic in your afterModify rule, to restrict it to invoke only for certain changes.
Here is something that you can try to update in your rule script.
#Call the client script
if ($requestAsString.contains('name="employeeStatus"')) {
#Call the client script
$command = -join ($command, " -requestString '$requestAsString'")
Invoke-Expression $command
}
I do something very similar but trigger on the request operation. I only run powershell if operation == enable for example. This significantly reduces the number of powershell scripts spawning during account modifies.
Hi Kirk,
Could you please provide your After above logic snippet you used in code. I am also working a logic where I need to trigger PS script only when operation = disable.
Thank you
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.