Workday & Life Cycle State rule - Timing Discrepancy

adama · October 6, 2025, 12:02am

Hello,

Problem:
We cannot work out why our Identity is only moving into Disabled the day after the endDate, from Workday. The Identity should move into Disabled on the same day, at 7pm as per the LCS rule below. However it was only moved to Disabled at 8am the next day. Manual processing of the Identity had occurred at 7pm, 8pm, 9pm, 10pm and 12am and it Identity still stayed in Active07.

Identity Attributes:
startDate: 22/09/2025
endDate: 03/10/2025

SOT Connector:
Workday
Timezone on connector: UTC (we don’t believe this needs to be changed because the date format received is in date format as a string?)

**Tenancy Settings: **
“region”: “ap-southeast-2”,
“timeZone”: “Australia/Melbourne”,

Rule:

<?xml version='1.0' encoding='UTF-8'?>

AD Rule to remove all the existing access for deprovision LCS and move user to Disabled OU when LCS is Disable

<!\[CDATA\[

import java.util.ArrayList;

import java.util.List;

import sailpoint.object.Application;

import sailpoint.object.Identity;

import sailpoint.object.ProvisioningPlan;

import sailpoint.object.ProvisioningPlan.AccountRequest;

import sailpoint.object.ProvisioningPlan.AttributeRequest;

import sailpoint.tools.Util;

/\*

 \* This method will return the AD request object from the provisioning plan

 \*/

public AccountRequest getADAccountRequest(ProvisioningPlan plan)

{

    log.info("Entering Active Directory BeforeProvisioning Rule : getADAccountRequest method");

    AccountRequest adAccntRequest = null;

    String applicationName = application.getName();

    if (null != plan)

    {

        List accReq = plan.getAccountRequests();

        if (null != accReq && !accReq.isEmpty())

        {

            for (AccountRequest accountReq : accReq)

            {

                if (null != accountReq)

                {

                    String appName = accountReq.getApplication();

                    if (null != appName && appName.startsWith(applicationName))

                    {

                        adAccntRequest = new AccountRequest();

                        adAccntRequest = accountReq;

                        break;

                    }

                }

            }

        }

    }

    log.info("Exiting Active Directory BeforeProvisioning Rule : getADAccountRequest method");

    return adAccntRequest;

}

/\*

 \* This method will return all the existing access / Entitlement details for the AD account of the user

 \*/

public List getGroupsFromADAccount(AccountRequest adAccntRequest)

{

    log.info("Entering Active Directory BeforeProvisioning Rule : getGroupsFromADAccount method");

    List existingGroups = new ArrayList();

    Object adGroup = null;

    String appName = application.getName();

    if (null != adAccntRequest && null != appName)

    {

        String nativeIdentity = adAccntRequest.getNativeIdentity();

        if (null != nativeIdentity)

        {

            adGroup = idn.getRawAccountAttribute(appName, nativeIdentity, "memberOf");

            if (null != adGroup)

            {

                if (adGroup instanceof String)

                {

                    existingGroups.add(adGroup);

                } else if (adGroup instanceof List)

                {

                    existingGroups.addAll(adGroup);

                }

            }

        }

    }

    log.info("Exiting Active Directory BeforeProvisioning Rule : getGroupsFromADAccount method");

    return existingGroups;

}

    /\*

 \* This method create attribute request to revoke all the existing access from the user AD account

 \*/

public AccountRequest removeGroups(AccountRequest adAccountRequest, List existingGroups)

{

    log.info("Entering Active Directory BeforeProvisioning Rule : removeGroups method");

    if (null != adAccountRequest && null != existingGroups && !existingGroups.isEmpty())

    {

        for (String group : existingGroups)

        {

            if (null != group && !group.startsWith("CN=Domain Users"))

            {

                AttributeRequest removeAccess = new AttributeRequest("memberOf", ProvisioningPlan.Operation.Remove, group);

                adAccountRequest.add(removeAccess);

            }

        }

    }

    log.info("Exiting Active Directory BeforeProvisioning Rule :removeGroups method");

    return adAccountRequest;

}

log.info("\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* Entering Active Directory Before Provisioning rule \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*");

    if (plan != null)

    {

        // TODO replace with prod domain user group e.g "CN=Domain

        // Users,CN=Users,DC=GMHBA,DC=GEELONG"

        String domainGroup = "CN=Domain Users,CN=Users,DC=GMHBA,DC=GEELONG";

        AccountRequest adAccountRequest = getADAccountRequest(plan);

        Identity identity = plan.getIdentity();

        if (adAccountRequest != null && identity != null)

        {

            AccountRequest.Operation op = adAccountRequest.getOperation();

            // Getting user LCS stage value

            String lifecycleState = (String) identity.getAttribute("cloudLifecycleState");

            // to support rehire use case

            String enabledOU = (String) identity.getAttribute("adUserOu");

            log.debug("Account Request Operation :" + op);

            log.debug("User life cycle State :" + lifecycleState);

            if (op != null && Util.isNotNullOrEmpty(lifecycleState))

            {

                if (null != adAccountRequest && (adAccountRequest.getOperation().equals(ProvisioningPlan.AccountRequest.Operation.Enable)))

                {

                    if ("active".equalsIgnoreCase(lifecycleState))

                    {

                        if (Util.isNotNullOrEmpty(enabledOU))

                        {

                            AttributeRequest enableAttrRequest = new AttributeRequest("AC_NewParent", ProvisioningPlan.Operation.Set, enabledOU);

                            adAccountRequest.add(enableAttrRequest);

                        }

                    } else if ("deprovisioned".equalsIgnoreCase(lifecycleState))

                    {

                        // if user sits in deprovisioned state, and

                        // operation is enabled,firstly we need to set op to

                        // disable then we set user's group to base domain

                        // group so

                        // that other groups can be removed

adAccountRequest.setOperation(AccountRequest.Operation.Disable);

                        // Retrieving all the assigned AD groups from the

                        // user account

                        List existingGroups = getGroupsFromADAccount(adAccountRequest);

                        // Remove all groups but leave Domain Users

                        if (null != existingGroups && !existingGroups.isEmpty())

                        {

                            adAccountRequest = removeGroups(adAccountRequest, existingGroups);

                        }

                    } else if ("inactive".equalsIgnoreCase(lifecycleState))

                    {

                        log.debug("deleting user account OU, user is inactive");

                        // Delete account

                        adAccountRequest.setOperation(AccountRequest.Operation.Delete);

                    } else

                        log.debug("No additional changes in plan required");

                }

            } else

            {

                log.info("LCS value is invalid or null");

            }

        }

    } else

    {

        log.warn("Plan is null or empty");

    }

    log.info("\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* Exiting Active Directory Before Provisioning rule \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*");

]]>

yasinghal · October 6, 2025, 12:13am

Hi Adam,

The before provisioning rule looks good but did you check if the LCS is set to deprovision at the correct date? Can you share the transform/rule you are using to set the lifecycle state?
In my experience, the workday connector changes the status of the account 1 day after the end date, so you’ll have to specifically handle the lifecycle state change on end date.

adama · October 6, 2025, 12:26am

Sorry, please see below for rule. <?xml version='1.0' encoding='UTF-8'?>

<!DOCTYPE Rule PUBLIC "sailpoint.dtd" "sailpoint.dtd">

<Rule language="beanshell" name="Calculate LifeCycleState" type="IdentityAttribute">

  <Attributes>

        <Map>

            <entry key="requiresPeriodicRefresh" value="true"/>

        </Map>

    </Attributes>

  <Description>Calculate LifeCycle state from startDate and endDate.</Description>

  <Source><![CDATA[

    import java.text.ParseException;

    import java.text.SimpleDateFormat;

    import java.util.Calendar;

    import java.util.Date;

    import java.util.GregorianCalendar;

    import sailpoint.object.Identity;

    // Add days to date

    public Date addDays(Date date, int days) {

        GregorianCalendar cal = new GregorianCalendar();

        cal.setTime(date);

        cal.add(Calendar.DAY_OF_MONTH, days);

        return cal.getTime();

    //Subtract days to date

    public Date subtractDays(Date date, int days) {

        GregorianCalendar cal = new GregorianCalendar();

        cal.setTime(date);

        cal.add(Calendar.DAY_OF_MONTH, -days);

        return cal.getTime();

    //Add hours to date

    public Date addHours(Date date, int hours) {

        GregorianCalendar cal = new GregorianCalendar();

        cal.setTime(date);

        cal.add(Calendar.HOUR_OF_DAY, hours);

        return cal.getTime();

    //Subtract hours to date

    public Date subtractHours(Date date, int hours) {

        GregorianCalendar cal = new GregorianCalendar();

        cal.setTime(date);

        cal.add(Calendar.HOUR_OF_DAY, -hours);

        return cal.getTime();

        Date endDate = null;

        Date startDate = null;

        Date today = new Date();

        String lifeCycleState = "";

        String onExtendedLeave = "";

        SimpleDateFormat dateFormat = new SimpleDateFormat("dd/MM/yyyy");

        if(identity.getAttribute( "startDate" )  != null)

try

               startDate = dateFormat.parse(identity.getAttribute( "startDate" ) );

            catch(ParseException pe)

                log.error("StartDate: Unable to Parse the StartDate" + identity.getAttribute( "startDate" ));

        if(identity.getAttribute( "endDate" ) != null)

try

                endDate = dateFormat.parse(identity.getAttribute( "endDate" ));

            catch(ParseException pe)

                log.error("EndDate: Unable to Parse the EndDate" + identity.getAttribute( "endDate" ));

        if(identity.getAttribute( "onExtendedLeave" ) != null)

             onExtendedLeave = identity.getAttribute( "onExtendedLeave" );

        log.debug("Start Date: "+startDate+ "  End Date: "+endDate);

        if(endDate != null)

            if(today.after(subtractDays(startDate,1)) || startDate.equals(endDate))

                if(today.after(addDays(endDate,90)))

                    lifeCycleState = "inactive";

                else if(today.after(addDays(endDate,14)))

                    lifeCycleState = "deprovisioned";

                else if(today.after(addHours(endDate,19)))

                    lifeCycleState = "disabled";

                else if(startDate.equals(endDate))

                    lifeCycleState = "disabled";

                else if("true".equals(onExtendedLeave))

                    lifeCycleState = "onextendedleave";

                else if(today.after(subtractDays(endDate,7)))

                    lifeCycleState = "active07";

                else if(today.after(subtractDays(endDate,20)))

                    lifeCycleState = "active20";

                else if("active".equals(oldValue))

                    lifeCycleState = "active";

                else if("onboarded".equals(oldValue))

                    // start date  - 7 to start date - 1 is onboarded statue

                    if (today.after(subtractDays(startDate,7)) &&  today.before(subtractDays(startDate,1))) {

                        lifeCycleState = "onboarded";

                    } else

                        lifeCycleState = "active";

                else

                    lifeCycleState = "onboarded";

            else if(today.after(subtractDays(startDate,7)))

                lifeCycleState = "onboarded";

            else

                lifeCycleState = "hired";

        else

            if(today.after(subtractDays(startDate,1)))

                if("true".equals(onExtendedLeave))

                    lifeCycleState = "onextendedleave";

                else if("active".equals(oldValue))

                    lifeCycleState = "active";

                else if("onboarded".equals(oldValue))

                    // start date  - 7 to start date - 1 is onboarded statue

                    if (today.after(subtractDays(startDate,7)) &&  today.before(subtractDays(startDate,1))) {

                        lifeCycleState = "onboarded";

                    } else

                        lifeCycleState = "active";

                else

                    lifeCycleState = "onboarded";

            else if(today.after(subtractDays(startDate,7)))

                lifeCycleState = "onboarded";

            else

                lifeCycleState = "hired";

        log.debug("Start Date: "+startDate+ "  End Date: "+endDate);

        log.debug("LifeCycleState :" +lifeCycleState);

        return lifeCycleState;

  ]]></Source>

</Rule>

adama · October 6, 2025, 1:05am

Is it possible that in the LCS rule, it’s converting the date format, string type field to Gregorian calendar which is in UTC even though our tenancy is in Australia/Melbourne?
Could this be why the LCS is only changed at 8am the next day for Disabled?

iamnithesh · October 6, 2025, 10:31pm

Not this, but your calculation of today

Date today = new Date();

is returning the current date & time in UTC, which is why any of the

today.after(......)

is evaluated based on current UTC time instead of your time zone.

adama · October 6, 2025, 10:58pm

Thanks Nithesh, I think that explains it then.

Is: Date today = new Date(); returning UTC time because of the server where the rule runs from isn’t from our tenancy/cloud service but a different shared service which is running on UTC time?

iamnithesh · October 7, 2025, 4:16am

irrespective of where the java code of your rule is executed, new Date() always returns UTC time. You will have to change it to your time zone adding the required number of hours for which you can use the addHours() function that you already have in the rule

adama · October 8, 2025, 6:18am

Good to confirm. Thank you Nithesh. Mark as solved.

Topic		Replies	Views
Lifecycle state Is not evaluating ISC Discussion and Questions	8	2487	July 19, 2023
Disable the Only AD application if the user is not login last 90 day's IIQ Discussion and Questions identityiq , provisioning	16	482	December 2, 2024
Building Life Cycle States using Transforms ISC Community Knowledge Base transforms , identity-security-cloud , provisioning , lifecycle-management	0	411	September 27, 2024
Move OU after few days of identity disable IdentityNow ISC Discussion and Questions identity-security-cloud	4	1371	July 19, 2023
How to terminate of AD users in the correct timezone ISC Discussion and Questions	5	1283	July 19, 2023

Workday & Life Cycle State rule - Timing Discrepancy

Related topics