Share all details related to your problem, including any error messages you may have received.
Hello everyone!
The main question for me, is there any step-by-step guide on AD account provisioning for newly created Identities? As i know itās possible via birthright roles, but is there any recommendations how I can set it up via LCM Create and Update WF? Or this will be much more easier using the Roles?
And more details.
For now, in our company there is a need to create AD accounts for every new user. The users are aggregated from SAP HR\HCM.
The AD application is created and configured. Some accounts and groups are created in Test OU and were successfully aggregated and correlated.
Also, there is an AD Create Policy configured for the application (added as the attachment).
The IT roles (with memberOf entitlement) that are required for Business role (As example All_Users) configured.
As Iām trying to request this Role for a user that doesnāt have an AD account currently, the āRequest provisioning form for ā displays (attached screenshot).
But those Attributes are generating in AD creation policy (I could give the code sample from referenced Libraries).
Is there any way to automatize this process? Or this could be a problem in the Library method code?
I will be happy to see any additional information on this topic.
I could see that you need AD account for every user created in your HR system. We call it as birthright provisioning. We can implement birthright by using
Joiner Lifecycle event
Business Role Assignment Rule
Coming to your question, If I understood correctly, why does form is empty ?
First time I am seeing this tag, however the logic should generate the values. This is where we need to troubleshoot.
Thanks for your help, itās nice to hear from you again.
As Iāve mentioned, we have the library method to generate the value.
Iām not the one who developed those methods library, but as Iāve checked the code, I havenāt seen any misconfigurated lines.
Maybe a fresh look on this code could see any issues.
Is it okay if Iāll attach the full .txt file with this library method? This Library contains only the methods related to this Create Policy.
Or if you wonāt be comfortable with this, I can send separate methods specified for those values.
I have seen this before and found it was a timing issue at that client.
The attributes in the identity might have not been populated, when the AD is to be created.
For instance in the function: generateSAMAccountName
if (identity == null || Util.isNullOrEmpty(identity.getFirstname()) || Util.isNullOrEmpty(identity.getLastname()))
{
logger.error("generateSAMAccountName::Failed because some of mandatory attributes is/are not defined (user: \"" + getName(identity) + "\").");
return null;
}
When identity.getFirstname() or identity.getLastname() are empty, no sAMAccountName is created. You should see this in the log-file as an error is logged.
This issue might arise when you are using āstandardā birthright roles (Business role with an assignment rule) or in any other way are to fast with the creation of the AD accounts.
Since timing of the creation of the AD account is important (it needs to be created when the attributes of the identity-cube are populated). It is best to create the account in an LCM process (IMHO).
There are multiple options to create accounts via a LCM Joiner event:
Assign Default Roles; The workflow assigns a static list of roles, found in the Default Assignments entry of the SPCONF Joiner Mappings Custom object, to the joiner identity
Assign a default application; he workflow creates accounts for the identity on a static list of applications, found in the Default Assignments entry of the SPCONF Joiner Mappings Custom object.
I would recommend you to check the logs, there is a bit more lines of code written for samAccountName.
I believe this is intermittent issue, i mean not for all users.
Please check the logs for the respective user
Check the user identity cube, if firstName and lastName are missing ?
Probability of not populating firstName and lastNameis very less, I agree that there is a chance but we can get more insights after checking logs. Based on that we can take a decision.
Also, can you confirm how AD account provisioning is triggered.
The logs werenāt configurated properly, thatās why I havenāt seen the errors before .
After fixing the logs config, as you said, Iāve checked the logs and found that nothing except sAMAccountName doesnāt generate correctly.
As I see, the guy who was here before me and created those rules made everything okay, but some of the Attribute names and methods changed.
Probably, Iāll create the new Create Policy and use more simple scripts to generate values.
After that, Iāll test everything again and update this theme with the results. I think this will take some time
About the question:
Iāve tried to use both Business Role with the Rule and the Access Request, both gave the same result.
There will be no issue with 1000+ users processing at once, but I suggest you to go with a batch of users.
I prefer to go with Joiner Life cycle event than Assignment Rule in Business Role. I have seen an issue with Assignment Rule.
I have seen in one client, they changed the definition of a Business Role (Actually they didnāt do any change, just clicked save on that Role). Refresh Task removed all users from that Role, later that bug was fixed.
There is no issue using joiner, you can further customize joiner workflow for your requirements.
Implementing Assignment Rule logic is easy but not as efficient approach as Joiner though it is not as easier as Assignment Rule in Business Roles.
Joiner has more features than Assignment Rule.
Enable/Disable whenever you need.
Event type to control the trigger.
Included identities (to control which users should be in scope)
Threshold
My choice would be joiner always.
If you choose joiner, go with batch of users by making use of Included identities.
.