Update AD attribute when manager is terminated

raibom · September 11, 2024, 9:26pm

Hello,

I need to create an automation within Sailpoint so that whenever a manager changes the lifecycleState to inactive, all service accounts associated with that manager have their manager changed to the manager of the disabled manager.

The source of the service accounts is pointing to an OU in Active Directory.

I need to try to do this via Sailpoint instead of creating an automation that goes directly to AD and changes the account attributes.

Can anyone help me on how to do this?

Thanks.

agutschow · September 11, 2024, 10:02pm

I am assuming that you have the inactive lifecycle set to disable AD accounts, if so you could use a Before Provisioning rule to catch the modification on the AD service account and do the following:

Remove the change to disable from the provisioning plan
Identify the new manager DN.
Add the change to the manager to provisioning plan

The modification of the manager would then get processed automatically for these accounts.

On the next aggregation, the accounts should re-correlate to the new manager.

rajeshs · September 11, 2024, 10:03pm

Hi @raibom

This can be achieve by creating the workflow in ISC.

Whenever the LCS state changes to inactive we can trigger an event to check if the Identity(Manager) has any service accounts and move it to the new manager.

iamnithesh · September 11, 2024, 10:26pm

Manager of an identity is set by Manager correlation in SailPoint, and this correlation is set in Auth source config (I am not aware of any other case). Hence, if you like to change the manager of a Service Account, then you need to create an automated process to update the auth source where the manager is set from.

udayputta · September 12, 2024, 8:38am

You can use a static type transform on identity attribute manager to calculate active manager to achieve this. In one section of the transform you need to get manager lifecycle state using getReferenceIdentityAttribute. You then check if manager lifecyclestate is active or inactive. If lifecyclestate is inactive you can get manager’s manager value and return that, if not return manager value from the SOT.

raibom · September 17, 2024, 10:23pm

@udayputta
The problem is that this way, I will have 2 different pieces of information. One manager in AD, and another in Sailpoint, since the sailpoint attribute is calculated.

system · November 16, 2024, 10:24pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to stop duplicate AD accounts created on terminated lifecycle state ISC Discussion and Questions rules , identity-security-cloud , provisioning	4	287	August 17, 2024
Provisioning Plan for AD extensionattribute5 IIQ Discussion and Questions workflows , rules , identityiq , provisioning , entitlements	7	70	December 18, 2024
Manager did not update ISC Discussion and Questions identity-security-cloud , accounts	3	120	August 25, 2024
Disable Account Source ISC Discussion and Questions identity-security-cloud , sources	9	237	November 23, 2024
Update AD attribute upon termination ISC Discussion and Questions transforms , identity-security-cloud	6	90	December 13, 2024

Update AD attribute when manager is terminated

Related topics