Share all details about your problem, including any error messages you may have received.
For a client with existing AD app configured with Identity Attribute = distinguishedName,
we are planning to change it to ‘objectguid‘.
The main reason for this switch is solve scenarios were DN of a user changes, currently IIQ creates unwanted provisioning due to attribute assignments. So two questions I wanted help with are:
is it okay to use objectguid as Identity Attribute in AD
if migrated from DN to objectguid, what are all the impacts to the system. What should be the strategy to do the migration
As I remember Sailpoint released such migration code changes and rolled them back quickly. There are a LOT of impact.
I wouldn’t do this as (and this I’m not 100% sure) this isn’t officially supported.
You will just have to deal with those DN changes but there has been some improvements around that. You might read about: “Enable Native Change Event propagation”.
I personally have neve seen an instance with anything else being used but DN.
I’m interested in hearing how others are managing employee name changes for Active Directory accounts, particularly when the DN changes. We’re seeing issues where, after a DN change (for example, due to a last name update), the relationship between detected roles and assigned roles gets disrupted. Specifically, the detected role no longer shows the assigned role in the “Allowed By” column in IdentityIQ.
Has anyone found effective strategies for maintaining role relationships through DN changes or name updates? Are you using objectGUID for correlation, or do you have other processes in place to handle these scenarios?
Any insights or best practices would be greatly appreciated!
Starting from 8.3, SailPoint as well recommends using guid value as nativeIdentity especially to support use cases related to DN changes. Here is more information about it:
However, I would suggest to perform a regression testing in Non-prod environments. Your identity correlation may remain as-is if you are not using DN value for correlation, however the roleAssignments and attributeAssignments on the identities might still point to the old nativeIdentity(DN) value. This needs to be observed in your non-prod environment. And if needed a custom task to update the nativeIdentity of these role and attributeAssignments can be tried, in my opinion.