AC_NewParent & Multiple OU options for Enable

Identity Security Cloud (ISC) ISC Discussion and Questions
, ,
1

Hi,
We are using AC_NewParent to move users when disabling and enabling.
We always have one disabled OU to use, and normally just the one active OU.
However, in some connectors (250+ AD connectors), users can be in one of many, many different branches with no way using variables to determine its location.

My question is, without using a BP rule, is there a way for ISC to ‘remember’ the original OU without holding that value as an identity attribute? (too many connectors to be adding identity.attributes .
Would storing it on an unused extension attribute on the source be good way of solving the problem?

2

The most effective solution, given your constraints, involves using an unused Active Directory extensionAttribute on the user’s AD account to store their original OU. This value can then be retrieved and used by a transform in the “Enable” provisioning policy to set AC_NewParent.

  1. Identify and Configure an Unused AD Extension Attribute
  2. Modify the “Disable” Provisioning Policy -This policy will be responsible for capturing and storing the user’s current OU before they are moved to the disabled OU.
{
  "name": "Account Disable",
  "description": "Disable Account Provisioning Policy",
  "usageType": "DISABLE",
  "fields": [
    {
      "name": "AC_NewParent",
      "transform": {
        "type": "static",
        "attributes": {
          "value": "OU=Disabled Users,DC=yourdomain,DC=com" // Your designated disabled OU
        }
      },
      "attributes": {},
      "isRequired": false,
      "type": "string",
      "isMultiValued": false
    },
    {
      "name": "extensionAttribute1", // Your chosen extension attribute
      "transform": {
        "type": "accountAttribute",
        "attributes": {
          "attributeName": "parent", // Captures the current parent OU
          "sourceName": "Your AD Source Name" // Replace with actual source name
        }
      },
      "attributes": {},
      "isRequired": false,
      "type": "string",
      "isMultiValued": false
    }
  ]
}
  1. Modify the “Enable” Provisioning Policy - This policy will retrieve the stored original OU and use it to move the user back.
{
  "name": "Account Enable",
  "description": "Enable Account Provisioning Policy",
  "usageType": "ENABLE",
  "fields": [
    {
      "name": "AC_NewParent",
      "transform": {
        "type": "accountAttribute",
        "attributes": {
          "attributeName": "extensionAttribute1", // Retrieves the stored original OU
          "sourceName": "Your AD Source Name" // Replace with actual source name
        }
      },
      "attributes": {},
      "isRequired": false,
      "type": "string",
      "isMultiValued": false
    },
    {
      "name": "extensionAttribute1", // Optionally clear the attribute upon re-enablement
      "transform": {
        "type": "static",
        "attributes": {
          "value": "" // Clears the stored OU
        }
      },
      "attributes": {},
      "isRequired": false,
      "type": "string",
      "isMultiValued": false
    }
  ]
}
  1. A Full Aggregation - A full aggregation of the Active Directory source is necessary to re-link the account to the identity after an OU move . Ensure that a full aggregation runs after a user is disabled and moved to the disabled OU, and again after they are re-enabled and moved back to their original OU.

I think this solution meets your requirements like No Before Provisioning Rule.

Further You can refer this below links:

-- Kannan

3

Excellent idea, I hadn’t thought of using the disable function to populate the spare source attribute.
Thanks