I’ve been working around this requirement for few days and couldn’t sort it out, so I wanted to see if someone has done this before.
Initially we had an Active Directory connector that worked just fine, and later we had to integrate another domain of Active Directory. For this, we used the same connector and thanks to a relationship trust between each other, SailPoint was able to add and remove groups from the new domain, using accounts from the old domain. So basically there are 2 domains, A & B.
In this new domain B, we couldn’t create accounts, and instead we used the accounts from domain A to add them to groups in domain B.
Now, we need to start creating accounts in domain B, and for this I’ve created a new connector, which works also fine.
The issue I have is that, we have around 2k access profiles with entitlements from the same old source (which have both domains), but now it should have entitlements from both sources (old one pointing to old domain, and new one pointing to new one).
I thought about moving everything into roles, but that means a huge migration.
Have anyone came across this req before? I’m open to suggestions.
I think IDN is not able to handle that, what i suggest to do is to talk to the AD support team to do a migration, it should be easier that instead of handling it through SailPoint.
Hi @ninfante_solidigm Access Profiles can’t contain Entitlements from more than one source. So that’s a given. However, not sure this is an AD support team problem, as AD Accounts are in the correct Groups (I assume), so nothing to do on the AD side.
However, you could duplicate the existing APs that contain Domain B Groups, if that matches your requirements.
I assume you can import Domain B Groups as Entitlements on New Source (Source 2)?
If you’re comfortable with Postman (or your API tool of choice) there may well be a way to duplicate the Existing APs from Source 1 to Source 2 using ISC APIs. It’s a bit long winded, but basically involves mapping Entitlement ID from Source 2 to Entitlement ID from Source 1 based on DN and then mapping Source 1 AP to Source 2 AP using naming convention, eg ADProfile1 (Source 1) to ADProfile1-New (Source 2). You can then tidy up the legacy APs removing Source 2 Entitlenments. Any hard-coded AP IDs (such as in roles) would need to be tidied up as well.
I don’t want to give prescriptive steps on how to do this and I wouldn’t suggest it if you’re not comfortable with scripting APIs. EXTENSIVE TESTING REQUIRED.