We have a Role for one of our AD Domains that assigns group membership and should provision an AD Account if one does not exist for the Identity. When the Role is assigned, the provisioning is attempted, but getting this error -
java.lang.RuntimeException: sailpoint.thunderbolt.service.NotRetryableActionException: Unable to generate a unique value for 'Jane Doe', action UniqueAccountIdValidator[nativeIdentity=54321JDoe,app=CORP AD] is not retry-able due to ConnectorException: [ InvalidConfigurationException ] [ Possible suggestions ] Verify that mandatory fields should not be empty in the application configuration. [ Error details ] Required string attribute 'authorizationType' is not defined.It must have a valid value.
Test connections, aggregations etc are all working without issue.
The one different change in this AD is the sAMAccountName format, but in the error above it appears to be formatting as expected, here is the ProvisionPolicy section for that -
The “UserNameGenerator” transform type actually only works on the Account ID of the source, not the Account Name attribute. So you could use it to define a distinguishedName, but not a sAMAccountName.
Editing to add: changing the account ID of an AD source will break provisioning.
Other than the generator, in the AD source JSON, the authorizationType key shows up three times (in connectorAttributes.forestSettings, connectorAttributes.domainSettings, and connectorAttributes levels). Do you have all three?
If you only need to use one type of naming convention, this should be sufficient.
If you need to do more complex logic, explore using an attribute generator rule: Account Profile Attribute Generator | SailPoint Developer Community . This will need to be developed and submitted to Sailpoint for Rule Review before it can be used in your tenant. The link above already has one example that can be used as a starting point for sAMAccountName generation.
If I try to use the ‘Account Profile AttributeGenerator (from Template)’, does this need to get uploaded/approved for use?
I’m just trying to get sAMAccountName to be a static ‘12345’ + first initial + lastname
I removed my initial transform just to see if an account would provision and it did. So just figuring out how to get sAMAccountName format correct is where I’m at.
You can do that using an identity attribute, with a concat transform that provides your “fi” and “ln” attributes. Then map that identity attribute to the sAMAccountName attribute on the Active Directory create profile.
on your reply but I guess I give to many of those out!!!
