Skip to main content

Native Change Account Created

Event Context

Important Setup Steps

You must have at least one source configured for Native Change Detection (NCD) before you will receive events from this trigger. There are two ways you can configure a source for NCD:

  1. Invoke the update native change detection configuration for each source you want to receive events for NCD.
  2. Configure the NCD options on the source in the source configuration UI.

The Native Change Account Created trigger fires after Account Aggregations detects that a new account is created external to Identity Security Platform on sources where:

  1. Native Change Detection is enabled
  2. Account Create operations are monitored
  3. at least one attribute that is selected for monitoring changed.

This event trigger can be used to immediately notify interested parties and remediate accounts that are created directly on the source. Some examples of how this trigger can be used are as follows:

  • Notify the identity's manager and the source owner of the new account
  • Create a micro-certification for the identity to review their new account access
  • Automatically disable or lock accounts created directly on a source

This is an example input from this trigger:

{
"identity": {
"manager": {
"name": "Martena Heath",
"id": "2c91808378eb9fa30178fb8caf90097f",
"type": "IDENTITY",
"email": "martena.heath@sample_email.com"
},
"name": "peter.williams",
"alias": "peter.williams",
"id": "e43ba47b265b4baf943efe3aaef886c8",
"type": "IDENTITY",
"email": "peter.williams@sample_email.com"
},
"singleValueAttributeChanges": [
{
"newValue": "Peter Williams",
"name": "cn",
"oldValue": null
},
{
"newValue": "Peter Williams",
"name": "displayName",
"oldValue": null
},
{
"newValue": "CN=Peter Williams,OU=Austin,OU=Americas,OU=Demo,DC=seri,DC=sailpointdemo,DC=com",
"name": "distinguishedName",
"oldValue": null
},
{
"newValue": "Peter",
"name": "givenName",
"oldValue": null
}
],
"entitlementChanges": [
{
"removed": [],
"added": [
{
"owner": {
"id": "2c91808978eb9fab0178fb8ca9280919",
"name": "Gregory Brooks",
"type": "IDENTITY"
},
"name": "ProductionManagement",
"id": "2c91808778eb9fa30178fb9482f00c60",
"value": "CN=ProductionManagement,OU=Groups,OU=Demo,DC=seri,DC=sailpointdemo,DC=com"
},
{
"owner": null,
"name": "Employees",
"id": "2c91808378eb9fa30178fb94818e0af8",
"value": "CN=Employees,OU=BirthRight,OU=Groups,OU=Demo,DC=seri,DC=sailpointdemo,DC=com"
},
{
"owner": null,
"name": "WindowsAdministration",
"id": "2c91808378eb9fa30178fb9481c30b02",
"value": "CN=WindowsAdministration,OU=Groups,OU=Demo,DC=seri,DC=sailpointdemo,DC=com"
}
],
"attributeName": "memberOf"
}
],
"eventType": "ACCOUNT_CREATED",
"source": {
"owner": {
"name": "Aaron Andrew",
"id": "2c9180867a7c46d0017a7ca099d50531",
"type": "IDENTITY",
"email": "aaron.andrew@sample_email.com"
},
"name": "Active Directory",
"alias": "Active Directory [source]",
"id": "2c91808a78efc63e0178fb8624b248c5",
"type": "SOURCE",
"governanceGroup": {
"id": "fd0d1393-35fb-47d8-9809-0e385b73f25e",
"name": "Active Directory Owners",
"type": "GOVERNANCE_GROUP"
}
},
"accountChangeTypes": [
"ATTRIBUTES_CHANGED",
"ENTITLEMENTS_ADDED"
],
"multiValueAttributeChanges": [
{
"removedValues": [],
"addedValues": [
"top",
"person",
"organizationalPerson",
"user"
],
"name": "objectClass"
},
{
"removedValues": [],
"addedValues": [
"Normal User Account",
"Password Cannot Expire",
"User Account is Disabled"
],
"name": "accountFlags"
}
],
"account": {
"name": "peter.williams",
"id": "b3b17b0072f04da39b41e8802aaff01b",
"type": "ACCOUNT",
"uuid": "{615ebfa6-3d21-484e-9e67-01bd4e20c3da}",
"correlated": true,
"nativeIdentity": "CN=Peter Williams,OU=Austin,OU=Americas,OU=Demo,DC=seri,DC=sailpointdemo,DC=com"
}
}
  • identity The identity correlated to this account. If account.correlated is false, then this will be a system generated identity, not a real identity. For uncorrelated accounts, this system generated identity can be used to revoke entitlements on the account, or in any other API request that requires an identity ID.
  • singleValueAttributeChanges Contains a list of account attributes that have changed. During an account created event, all aggregated account attributes will be listed, and their oldValue will be null.
    • it will include ALL account attributes if the config is "allNonEntitlementAttributes": true
    • it will include the enumerated list of attributes contained in "selectedNonEntitlementAttributes": []
  • entitlementChanges Contains a list of entitlements that have been aggregated with the account. the removed list will always be empty for an account created event.
  • eventType Will always be ACCOUNT_CREATED for account created events.
  • source The source where this account originated from.
  • accountChangeTypes A list of change types you can expect to see in the event input.
    • Possible values are ATTRIBUTES_CHANGED and ENTITLEMENTS_ADDED.
    • The above example lists both change types since both attributes and entitlements were added. If an event payload only contains attributes added, then this list will only contain the ATTRIBUTES_CHANGED value. This can be useful when filtering events based on change types, or quickly checking what types of objects changed in the account before continuing to process the input.
  • multiValueAttributeChanges List of multivalued attributes that were aggregated with the account. Only addedValues will appear for account created events.
    • it will include ALL account attributes if the config is "allNonEntitlementAttributes": true
    • it will include the enumerated list of attributes contained in "selectedNonEntitlementAttributes": []
  • account The details of the account as it appears in IdentityNow. This information can be used to query the account API for more information.