Hi All,
We have a requirement to keep discription attribute in AD when user gets rehire within 30 days and blank the attribute if rehires after 30 days.How can this be achieved via Enable provisioning policy?. How to check if user is rehire within or after 30 days. We don’t want this to be done via BeforeProvisioning rule.
With the help of transforms, you can calculate the value and store it in identity attribute.
In Create Account tab or section, use that identity attribute to populate the description attribute value in AD application.
HI @uttu2022,
Steps
- Create one identity attribute called ‘Rehire description’.
- Write one transform using date format type and static to calculate days difference between termination and hire date if rehire is within 30 day update attribute with AD description else set null.
without creating any identity attribute is it possible?
without creating any identity attribute is it possible?
To handle the rehire scenario where the description attribute in AD should be preserved if rehired within 30 days and cleared if rehired after 30 days, use an Enable Provisioning Policy rather than a BeforeProvisioning rule.
Since the AD account is re-enabled (not recreated) within 30 days, the Enable policy triggers and can update the description attribute based on a condition. You can use a transform or conditional logic in the Enable policy to check the rehire date against the 30-day threshold.
For example:
-
Use a conditional transform in the Enable policy to check the user’s termination date and rehire date.
-
If rehire occurs within 30 days, retain the description; otherwise, clear it.
This avoids custom rules and leverages standard provisioning policies. You can also use a Life Cycle State (LCS) to define the rehire flow and apply the policy accordingly.
2 Likes
did you consider “cloudServicesIDNSetup“. the below might help you understand :
for example if you have a way to calculate the days, you can use it from the below to get identity object and also the account object. and update the velocity script below in “Value“ to calculate what the final description will be.
“eventActions”: [
{
"Action": "UpdateAttribute",
"Attribute": "description",
"Value": "#{account.description} #{identity.date} "
}
],
"Identity Attribute Triggers": [
{
"Attribute": "cloudLifecycleState",
"Value": "active",
"Operation": "eq"
}
],
"Operation": "Enable"
}
Hi @uttu2022 , You can leverage a SailPoint transform with Velocity logic and map this transform directly to the AD description attribute in your Enable policy using the API.
With this approach, whenever an enable operation is triggered, the transform will calculate the difference between the termination date and the rehire date, and populate the attribute accordingly.
I’m sharing a sample transform below for your reference. you can modify it according to your requirement.
{
"name":"AD Description Transform",
"type": "static",
"attributes": {
"Within30Days": {
"type": "dateCompare",
"attributes": {
"firstDate": {
"type": "dateFormat",
"attributes": {
"input": {
"type": "accountAttribute",
"attributes": {
"sourceName": "HR source",
"attributeName": "end_date"
}
},
"inputFormat": "yyyy-MM-dd",
"outputFormat": "ISO8601"
}
},
"secondDate": {
"type": "dateMath",
"attributes": {
"expression": "now-30d"
}
},
"operator": "gte",
"positiveCondition": "true",
"negativeCondition": "false"
}
},
"value": "#if($Within30Days == 'true')Required Description#{else}($Within30Days == 'false')outside 30days condition if needed, otherwise you can skip it.#end"
}
}
1 Like
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.