Support Center

Rule: "AD Leaver" (Workflow Rule)

What this rule does

This rule is used in a workflow in SailPoint IIQ to handle a user's "leaver" process. It performs the following steps:

• Finds the identity (user) in the system
• Locates their Active Directory link
• Clears all extensionAttribute fields
• Updates the description field in AD
• Moves the user to the correct OU
• Builds and stores a provisioning plan for AD changes

import sailpoint.object.Identity;
import sailpoint.object.ProvisioningPlan;
import sailpoint.object.ProvisioningPlan.AccountRequest;
import sailpoint.object.ProvisioningPlan.AttributeRequest;
import sailpoint.object.Filter;
import sailpoint.object.Attributes;
import sailpoint.object.Link;
import sailpoint.api.Workflower;
import java.util.HashMap;
import sailpoint.object.Workflow;
import sailpoint.object.WorkflowLaunch;
 import sailpoint.api.Provisioner;

Code Explanation (step by step):

Get the Identity

Identity identity = context.getObjectByName(Identity.class, identityName);

Get the user’s Active Directory (AD) link

Filter f = Filter.eq("displayName", identity.getAttribute("usernameAD"));
 Link link = context.getUniqueObject(Link.class, f);

Create a provisioning plan

ProvisioningPlan plan = new ProvisioningPlan();
AccountRequest accountRequest = new AccountRequest();
accountRequest.setApplication("Active Directory");
accountRequest.setNativeIdentity(nativeIdentity);
 accountRequest.setOperation(AccountRequest.Operation.Modify);

Update the description field in AD
AttributeRequest attributeRequest = new AttributeRequest();
attributeRequest.setName("description");
attributeRequest.setValue("put description here");
attributeRequest.setOperation(ProvisioningPlan.Operation.Set);
 accountRequest.add(attributeRequest);

Clear all extensionAttribute fields
 This loop clears all 15 extensionAttribute fields:

for(int i=1; i<=15 ;i++) {
String attributeName = "extensionAttribute"+i;
AttributeRequest attributeRequest2 = new AttributeRequest();
attributeRequest2.setName(attributeName);
attributeRequest2.setOperation(ProvisioningPlan.Operation.Set); accountRequest.add(attributeRequest2);
 }

Set the new OU (AC_NewParent)
 set the new OU:

AttributeRequest attributeRequest3 = new AttributeRequest();
attributeRequest3.setName("AC_NewParent");
ouValue = "Put the new Ou here";
attributeRequest3.setValue(ouValue);
attributeRequest3.setOperation(ProvisioningPlan.Operation.Set);
 accountRequest.add(attributeRequest3);

Finalize and commit the plan
 We attach everything to the provisioning plan

plan.setIdentity(identity);
plan.setSource("LCM");
 plan.add(accountRequest);

If you need to change any other field in the user's identity (not link) use:

identity.setAttribute("idenStatus", "עזיבה");

save it, and pass the plan into the workflow:

context.saveObject(identity);
context.commitTransaction();
 workflow.put("plan", plan);