Active Directory manager sync - block for inactive users

WyssAJ01 · October 12, 2023, 1:22pm

Hey all, I’m working through a use case at a client where they don’t want manager to be synced down into AD accounts for inactive users. I’ve looked at the few other threads about this topic but I’m seeing different behavior in my transform results than what others have seen.

{
    "id": "e6346a99-b5d0-4b1b-bd4a-bd417b79c4b3",
    "name": "managerDn",
    "type": "conditional",
    "attributes": {
        "expression": "$lcs eq inactive",
        "positiveCondition": "",
        "negativeCondition": "$managerDN",
        "managerDn": {
            "attributes": {
                "name": "Cloud Services Deployment Utility",
                "operation": "getReferenceIdentityAttribute",
                "uid": "manager",
                "attributeName": "dn"
            },
            "type": "rule"
        },
        "lcs": {
            "attributes": {
                "name": "cloudLifecycleState"
            },
            "type": "identityAttribute"
        }
    },
    "internal": false
}

What is happening is on the inactive users, IDN is populating “None” on inactive users and trying to push that down into the AD account. I get this error from IDN on the accounts and the modify action fails.

["Error(s) reported back from the IQService - Failed to update attributes for identity CN\u003dCrystal Schmidt,OU\u003dTokyo,OU\u003dAsia-Pacific,OU\u003dDemo,DC\u003dseri,DC\u003dsailpointdemo,DC\u003dcom. A constraint violation occurred.\n"]

Does anyone have any insight as to what might be happening here?

ksbagade · October 12, 2023, 6:04pm

Hi @WyssAJ01,

Have you tried using the Null value as such?

{
    "id": "e6346a99-b5d0-4b1b-bd4a-bd417b79c4b3",
    "name": "managerDn",
    "type": "conditional",
    "attributes": {
        "expression": "$lcs eq inactive",
        "positiveCondition": null,
        "negativeCondition": "$managerDN",
        "managerDn": {
            "attributes": {
                "name": "Cloud Services Deployment Utility",
                "operation": "getReferenceIdentityAttribute",
                "uid": "manager",
                "attributeName": "dn"
            },
            "type": "rule"
        },
        "lcs": {
            "attributes": {
                "name": "cloudLifecycleState"
            },
            "type": "identityAttribute"
        }
    },
    "internal": false
}

sunnyajmera · October 12, 2023, 6:05pm

Instead of passing None, may be pass null or empty string.

MVKR7T · October 12, 2023, 6:12pm

@WyssAJ01 or maybe pass current manager in Active Directory, so there will be nothing to sync and It will be filtered. I have not had success when I tried to clear data (Overriding an attribute which has a value with empty or null).

WyssAJ01 · November 22, 2023, 3:16pm

Just to close the loop on this in case anyone else has this issue, is we used a static transform that brings in managerDn and cloudLifecycleState and uses the below velocity code.

"value": "#if($cloudLifecycleState != 'terminated')$managerDn#end"

system · January 21, 2024, 3:17pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Active Directory AD Sync issue while modification IIQ Discussion and Questions identityiq	8	448	March 24, 2024
Clear ‘Manager’ and ‘ManagerDN’ identity attributes for inactive users ISC Discussion and Questions	21	3042	July 19, 2023
Unable to send null value on manager attribute in AD via attributeSync ISC Discussion and Questions identity-security-cloud , provisioning	8	815	June 23, 2023
Update provisioning policy -how to apply retroactive ISC Discussion and Questions identity-security-cloud , provisioning	4	44	September 23, 2024
Search for Accounts with Inactive Manager ISC Discussion and Questions	5	956	July 19, 2023

Active Directory manager sync - block for inactive users

Related Topics