I’m working on a requirement where we need to move accounts with terminated LCS state to a disabled OU in Active Directory. I created the following transform to move the users to the disabled OU. I’m using the identityAttribute cloudLifecycleState in the transform for the calculation. I used this transform in the accounts create profile for my Active Directory source. The issue i’m having is that the transform is not moving the terminated users to the disabled ou. Below is the transform, has anyone experience similar issue.
To move the user to a different OU you need to fill the attribute AC_NewParent on the Account Profile, to add this attribute you need to edit the Provisioning Policies API to to add this field.
On your scenario you could add the AC_NewParent to the DISABLE Provisioning Policy with the Disable OU, every time the user account is disable will move that account to the specified OU.
The recommended approach is to use Before Provisioning rule for movement of accounts to different AD OUs.
You will have to put this transform on an Identity attribute & then in Before Provisioning rule, read the lifecyclestate value & compare. You will also have to configure the Terminated LCS to have a disable account configuration option mapped in Identity Profile’s Provisioning tab.
@fmunerato , Welcome to the community! Account Profiles are not recommended for AD OU movement as AC_NewParent and AC_NewName are not read via the connector, they can never be verified. This results in “stranded” account activity entries within the IdentityNow tenant.
Thanks for your response. Here’s what we implemented based on the documentation and best practice:
Created a transform to calculate the users lifecycle state
Configure the terminated LCS on the Identity Profiles provisioning to disable accounts based on the defined LCS.
Created a new identity attribute “disabledParentOU” and a lookup transform to place the terminated users
Create a before provisioning rule and deployed it to the tenant to handle the termination and OU moves.
Here’s what I’ve noticed after our implementation:
The LCS termination executes as expected and disable’s the account at the target however the OU account move fails. Here’s the error message: Failed to update attribute AC_NewParent Error - StartIndex cannot be less than zero. Parameter name: startIndex
“ATTRIBUTE REQUESTS
Set AC_NewParent: empty”
When I disabled the account in Sailpoint UI for the target source, the account is disabled and moved to the target OU. No error message is thrown.
Can you tell us what can be causing this exception:
We’re using a Before Provisioning Rule to move AD Accounts to the Disabled Accounts OU upon termination. We’ve run into snag with this process.
This works great if the AD Account is Enabled prior to LCS changing to Inactive.
We have a Prehire status where the AD Account is in a Disabled state
If the Employee Offer is “Rescinded” in Workday the LCS changes from Prehire to Inactive. However, the AD Account does not move because it’s linked to the Account Disable Operation in the Before Provisioning Rule.
This creates a bit of a mess because these accounts remain in the original OU taking up a license for O365 etc.