When a user terminates in our system their AD account is put in an inactive state for 30 days. After 30 days the account goes into a delete state, where the AD account is deleted by Sailpoint. I have another task that needs to be done, of removing the user’s desktop profile that is located on an internal server. I am triggering a powershell script to accomplish this task. I set up a beforeprovisioning rule to pass some value to the script to help locate the correct folder, but when a user is deleted there are no attributes being passed to the before delete rule. Does the beforeprovisioing rule not trigger when the operation is a delete?
Before Provisioning Rule or Before Operation Rule ?
How are you deleting the AD Account, by changing Account Request operation in Before Provisioning Rule ?
Hi,
Can you provide more information on how AD account is deletion is triggered? and is the Powershell runs in your IQ services triggered by Before operation rule?
Thanks
The account is deleted, by Cloud Services IDN setup on the active director source, when the identity moves to a delete lifecycle state, and is enabled, then that operation is instead transformed to a delete operation.
"cloudServicesIDNSetup": {
"eventConfigurations": [
{
"eventActions": [
{
"Action": "ChangeOperation",
"Attribute": null,
"Value": "Delete"
}
],
"Identity Attribute Triggers": [
{
"Attribute": "cloudLifecycleState",
"Value": "delete",
"Operation": "eq"
}
],
"Operation": "Enable"
}
Yes, the powershell script runs via IQ Service and is triggered by a Before Delete connector rule.
Are you using plan.setArguments to pass the relevant details? If this happens irrespective of the type of operation, I don’t see why the info is not sent to VA in the Provisioning Plan
I am unfamiliar with the plan.setArugments contructor. If added something like this to my rule, would it make all attributes available to any rule called by the source?
Map arguments = (Map) plan.getArguments();
if (arguments == null) {
arguments = new HashMap();
}
arguments.put("identityAttributes", identity.getAttributes());
plan.setArguments(arguments);
Hi @MGainer, You are using Services Std beforeprovisioning Rule then you can add argument like below in your source eventConfiguration
{
"Action":"AddArgument",
"Attribute":"testAttr",
"Value":"#{identity.testAttr}"
}
Read That argument in powershell using below statement
$testAttr = $requestObject.Attributes.testAttr
You don’t need a separate before provisioning Rule for this
2 Likes
I tried adding the below code to the source but it didn’t add the argument to the request.
"cloudServicesIDNSetup": {
"eventConfigurations": [
{
"Action": "AddArgument",
"Attribute": "Location",
"Value": "#{identity.location}"
}
]
}
[
{
"op": "add",
"path": "/connectorAttributes/cloudServicesIDNSetup",
"value": {
"eventConfigurations": [
{
"eventActions": [
{
"Action": "ChangeOperation",
"Attribute": null,
"Value": "Delete"
},
{
"Action": "AddArgument",
"Attribute": "Location",
"Value": "#{identity.location}"
}
],
"Identity Attribute Triggers": [
{
"Attribute": "cloudLifecycleState",
"Value": "inactive",
"Operation": "eq"
}
],
"Operation": "Enable"
}
]
}
}
]
In your IQService Powershell access location attribute as below
$LOC = $requestObject.Attributes.Location
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.