AD accountExpires Attribute Sync Loop

tmclaughlin · January 22, 2025, 5:52pm

Similar to the needs of another discussion we have Contractors that have a set accountExpires date and employees have a value of “never”. The issue is that it needs to pass an integer value into AD for the accountExpires Value either 0 or 9223372036854775807. But SailPoint reads the attribute from AD as the string “never” and when Attribute Sync is turned on it compares “never” to “9223372036854775807” or “0” and identifies that they don’t match. It then updates the value for every employee every time it syncs. Any ideas on how we can make the value it checks be “never” while still using the integer to assign the value for new accounts? When we assign the value as “never” for employees the account creation fails.

We found this topic which helped with the Account Creation function: accountExpires attribute in AD - Identity Security Cloud (ISC) / ISC Discussion and Questions - SailPoint Developer Community
But it does not solve for Attribute Sync.

schattopadhy · January 23, 2025, 7:06am

@tmclaughlin you can try setting a date like 2099 for never so that this issue does not occur.

JackSparrow · January 23, 2025, 11:07am

Hi @tmclaughlin,

Not sure if I understood it correctly. Are you updating “never” which is a string for employees during account creation? Instead, you can set it as null, so that by default account expires will be “never”. Transform goes like this.

{
            "name": "accountExpires",
            "transform": {
                "schDepartDateConvert": {
                    "attributes": {
                        "ignoreErrors": "true",
                        "values": [
                            {
                                "attributes": {
                                    "input": {
                                        "attributes": {
                                            "name": "endDate"
                                        },
                                        "type": "identityAttribute"
                                    },
                                    "inputFormat": "yyyy-MM-dd",
                                    "outputFormat": "EPOCH_TIME_WIN32"
                                },
                                "type": "dateFormat"
                            },
                            "null"
                        ]
                    },
                    "type": "firstValid"
                },
                "type": "static",
                "name": "Static_Transform_with_firstValid_for_AccountExpires"

tmclaughlin · January 29, 2025, 9:44pm

{
        "name": "Format AD Expiration",
        "type": "static",
        "attributes": {
            "expirationDate": {
                "attributes": {
                    "input": {
                        "attributes": {
                            "sourceName": "HR DB",
                            "attributeName": "CONTRACTOR_EXPIRATION_DATE"
                        },
                        "type": "accountAttribute"
                    },
                    "regex": "0:0:0 AM UTC",
                    "replacement": "11:59:59 PM"
                },
                "type": "replace"
            },
            "company": {
                "attributes": {
                    "sourceName": "HR DB",
                    "attributeName": "COMPANY"
                },
                "type": "accountAttribute"
            },
            "value": "#if($company.equalsIgnoreCase(\"Contractors\"))$expirationDate#{else}9223372036854775807#end"
        },
        "internal": false
    }

This is what we are currently using for our Transform. We had it set to null for the else condition before and it would error and crash the account creation action.