AD account creation bypass

Hi! I have an Active Directory connector, on which some accounts are not aggregated yet, but for reaching some business rules, I need entitlements to be granted anyway. What is happening is that for these accounts, it runs the ootb create account event, and as there exists an account on AD, it ends in error. Inmediately after than, the entitlement addition is performed, and ends with a null native identity error, caused by the failed account creation event.

Is there some way of altering the normal create operation plan, in order to return as completed if accounts exists on AD?

What I am trying to do: I have a main AD source, and several applications that has AD as its account backend. I would like to represent these apps in ISC with cloned AD sources, that only grants/revokes the app AD groups, in order to avoid using ISC applications, and manual access profile creation for each AD group.

Hi Julian,

It is an interesting requirement.

I would say you can alter the Plan using Before Provisioning Rule, change the operation and remove attribute requests except the Groups.

But you don’t know native Identity of the object as it is not aggregated and of course not correlated to the concerning Identity.

If you are getting error as Object already exists, then your Provisioning Policy is generating DistinguishedName same as that exists at AD. if yes then altering plan might work.

If error is not Object already exists then may be due to UPN then AD account already created partially.

Thanks
Krish

Hi @jsosa , You can utilize the OOTB rule builder in your policy creation to manage expected behavior and Using the ‘Rule’ as a wrapper should resolve your issue.

Using ISCRuleUtil as a Wrapper for Common Rule Operations | SailPoint Developer Community

Account Profile Attribute Generator | SailPoint Developer Community

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.