We currently have different AD sources for groups of users who need different account properties, but I’m trying to prep for a move to a single AD source - which means having a single AD account creation profile that will create accounts with different properties.
Mostly I’m able to do this by having the attributes defined at the identity level, but I have a few attributes that need to use generators because they need to be unique.
My 3 user categories are student, staff and non-employee. Some non-employees need mailboxes, but some don’t.
I have a generator rule that creates the samaccountname.
Then I have a generator rule that creates the mail id.
For staff and the non-employees that need mailboxes - the mail id would be based on [email protected] (with variations using middle initials and numbers to get a unique address)
In Create provisioning policy, you can keep Samaccountname above email attribute so that calculated samaccountname can be used in email as sailpoint calculate the attribute value in sequence as listed in provisioning policy.
The rule I want to use the samaccountname in is an AttributeGenerator - the image above shows the name as “Generate Unique StaffmailID”
I already have a BeforeProvisioning rule which moves accounts to the another OU when an AD attribute is changed.
I’m not very familiar with Beanshell, and I’m not much of a coder, so I was trying to do this with as few modifications as possible, as the original developers are no longer around.
If I was to use the BeforeProvisioning rule - how would I get the samaccountname from the provisioning plan?
Is there some kind of object I could do a getAttribute on to return it?
When you are generating a unique sAMAccountName using a generator on sAMAccountName attribute why do you need another generator to generate mail attribute. on the mail attribute if you can use Static and consider same string with case it should give you the generated sAMAccountName. From your previous reply it looks like you are using this $samaccountname.
Can you change to this and try once [email protected]
I have some types of users who need mail to be [email protected] and I have other types of users who need a unique mail address generating which uses [email protected], and achieves uniqueness by using middle initials and integers if needed.
I need to use a single AD source for all - and therefore one account creation policy has to be able to generate mail as either [email protected] mail address or [email protected] depending on the user type.
Thank you to everyone who contributed. For anyone looking to do something similar…
The solution was to do this as a custom transform in the provisioning policy, which you can do via the api for “Bulk Update Provisioning Policies”
I nested the Generator Rule (using the “Rule Transform” type) in a Static transform. The generator rule returns a unique mail id. I evaluate that and two more identity attributes in the static transform, to decide whether to use the $sAMAccountName value (created by a generator rule higher up in the Provisioning policy) for students, or the result from the “Generate Unique Mail Value PreProd” generator (for staff and the nelm accounts that get mailboxes), or leave mail blank (for nelm accounts that don’t get mailboxes)
This means I don’t need to find a way to pass the $sAMAccountName into the mail generator rule.
