Hi All, I have a requirement to update one of the AD attributes upon user termination. I know we can achieve this via Before Provisioning rule. But want to know if same can be achieved via Transform? If yes, can someone help me with the steps? Like how the transform will be triggered and where we need to call this transform?
Hello,
what you can do is in Identity Profile you can set up provisioning for the AD source so it disables the account on the lifecyclestate that indicates user termination.
Then use API(create-provisioning-policy | SailPoint Developer Community) to create a provisioning policy of type DISABLE for the AD source and there you can list what changes. They will be applied when the account is disabled on that source either manually or when the lifecyclestate changes to one that disables the account on this source.
1 Like
Thanks @lukas_ceremeta! Also, I want to update an AD attribute like some static description. So where I need to define the transform.
Hi @JackSparrow
Sample policy :
{
"name": "Disable Account Policy",
"description": "Policy to provision attributes for disable users",
"usageType": "DISABLE",
"fields": [
{
"name": "accountExpires",
"transform": {
"attributes": {
/////Transform Logic
},
"type": "static"
},
"attributes": {},
"isRequired": false,
"type": "string",
"isMultiValued": false
}
]
}
4 Likes
Thanks @gourab! Will try this. Correct me if Iām wrong anywhere here. Once the user moves to terminate LCS, AD accounts disable, and this provisioning policy will be triggered where it has a transform to update the AD attribute.
1 Like
It will be triggered during LCS provisioning which changes the account to DISABLED or if an admin manually disables the account through IDN. Bear in mind that this policy will be skipped if someone disables the AD account in the AD directly. Thats why you should consider using UPDATE policy as well.
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.