Workflow Get Account Attribute

Hey everyone!

We are looking to build a workflow that will check a user’s last login timestamp for their account and it will disable it if they haven’t logged in for 90+ days. This is for our Snowflake connector currently, but we would like the opportunity to apply this to other sources as well. The source does provide this attribute to us, so the data is there. Is there any way to get this attribute in a workflow to do a date compare?

It looks like we can only use identity attributes, which could work, but it wouldn’t be a scalable solution for us to keep creating a new identity profile attribute for each source we want to use this workflow for.

Just trying to see if there is a way we can just do a compare on the account last login attribute instead.

Thanks in advance for your thoughts!

@zachm117

There is a Compare Timestamp operator but this would require the last login to be in ISO 8601 format. From the Get Accounts Action you can get the attribute then do the comparison.

Most likely the date will not always be in the correct format and creating a new Identity Attribute and using the dateFormat Transform will be needed.

Hey Edward, thanks for the quick response!

Yes, that is the problem we are running into. The date comes across as YYYY-MM-DD, which seems to fit the required date format, but IDN just sees it as a string. I tried to define it as a date in the account schema but since that isn’t an option, I suppose the only way to do that is to make it an identity attribute and use the transform you mentioned.

So just to clarify, other than making an attribute into an identity attribute, and applying the appropriate transform, is there no other way to perform a date compare on an attribute that is not being identified as a date attribute (or to apply a transform or something in a workflow to make the account attribute a date)?

There may be a way to convert the value in some cases within the Workflow, but I think having the logic in an Identity Attribute may perform better and will allow you to audit when those comparisons occur via Access History or Search.

Can you try this operator out? Operators - SailPoint Identity Services

See if the value from Snowflake (or other Sources) qualifies as a Timestamp and then could be used in the Date Comparison.

Having it in an Identity Attribute limits us though from expanding this to other sources because we would have to create an Identity Attribute for each one.

I did try that operator and confirmed it is not being evaluated as a timestamp so the compare timestamp will not work for this attribute.

I was looking at the Snowflake source and that attribute is defined as a String and I cannot see any way to update the account schema for the source to make that attribute DateTime.

Another option we are working on is using an external trigger with a scheduled PowerShell script. The script calls the IDN Accounts endpoint to get the Last Login date, converts it to DateTime, compares it with today’s date to see if the Last Login is more than 60 days ago, and it sends the relevant accountIds back to the Workflow to disable the accounts. I am not a huge fan of having this calculation be done outside of IDN with a scheduled PS script, but it doesn’t seem like there is a good way to compare the dates in IDN without making an Identity Attribute for each source we want to have this done for.

I think I will submit an idea about this to either have a way to convert an attribute to DateTime/timestamp in a Workflow, or to be able to define an attribute on an account schema for a source as DateTime/timestamp.

Thanks Edward for your help in trying to solve this item, it is very much appreciated!!!

1 Like

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.