Requirement is to trigger an event for Active Directory users who are terminated and did not login for past 90 days.
Go to setup --> Lifecycle Events --> Add New Lifecycle Event.
Enter the Name, Desription. Select Event type as Rule.
Use the below code for the Rule:
if(newIdentity!=null){
return true;
}else{
return false;
}
Or you can import the below IdentityTrigger Rule and use it.
if(newIdentity!=null){
return true;
}else{
return false;
}
Or you can import the below IdentityTrigger Rule and use it.
Select Included Identities as Rule. Use the below code for the Rule:
import sailpoint.object.Identity;
import sailpoint.api.IdentityService;
import sailpoint.object.Link;
import sailpoint.object.Attributes;
import sailpoint.object.Application;
import java.util.Calendar;
import java.util.Date;
import java.text.SimpleDateFormat;
log.error("Identity Selector Rule Triggered : " + identity.getName());
// get the application link for Active Directory
IdentityService identityService = new IdentityService(context);
Application app = context.getObjectByName(Application.class, "HR System - Employees");
List links = identityService.getLinks(identity, app);
if(!links.isEmpty()){
Link link = links.get(0);
if(link!=null){
String applicationName = link.getApplicationName();
log.error("Application Name: " + applicationName);
Attributes attributes = link.getAttributes();
if(attributes!=null){
String lastLogOn = attributes.getString("lastLogOn");
String userAccountControl = attributes.getString("userAccountControl");
if(lastLogOn != null && userAccountControl != null) {
// convert from millisecond to date format
Date currentDate=new Date();
Long diffForDateAndTime = 11644473600000L;
Long adDate = Long.parseLong(lastLogOn);
Long epochTime = (adDate / 10000) - diffForDateAndTime;
Date lastLogOnDate = new Date (epochTime);
log.error("lastLogOnDate: " + lastLogOnDate);
//calucalate the diff b/w today to lastLogOn date
int diffInDays = (int) ((currentDate.getTime() - lastLogOnDate.getTime()) / (1000*60*60*24));
log.error("diffInDays: " + diffInDays);
//Event generation condition
if(diffInDays>90 && userAccountControl.equalsIgnoreCase("514")){
// log.error("************** Returning True *******************");
return true;
}
}
}
}
}
return false;
Or you can import the below IdentitySelector Rule and use it.
Run the refresh identity cube task with Process Events enabled. You can see the events are generated for the users that are inactive and not login into AD for last 90 days.
Currently only the events are triggered, but no action is performed. Add a Business process to delete the users.
No comments:
Post a Comment