Hi All,
We have a requirement to update description attribute in AD for rehired users. Scenario is, when user gets terminated, AD account gets disabled where we are updating “description” attribute in AD with some static value. Now when the user is rehired, AD account gets enable and we want to remove the static value for “description” attribute in AD. Can this be achieved via UPDATE provisioning policy? We don’t want this to be done via BeforeProvisioning rule.
What’s the objection to using a rule?
The services standard before provisioning rule can handle this quite easily.
Hi @WyssAJ01, there is no objection, but the dependency is with SailPoint services team to deploy the code. I hope it will be the last option to move on as it said by SailPoint 
You can do this with the Services Standard Before Provisioning Rule, that way you don’t need to use expert service hours, you just have to request it is enabled in the tenant(s) via support (https://support.sailpoint.com).
I believe 1.7.1 is the most recent version, I’ve attached the documentation here and hopefully it helps with your use case.
Services Standard BeforeProvisioning.pdf (68.4 KB)
Thanks for the response @vkashat. Will check this
I agree with you, we don’t use Cloud Rules, unless there is really no other way (99% of the time, there is a way). In my last 1.5 years, I have written just 2 cloud rules.
You can achieve this using a Transform itself.
- Create an Identity attribute AD Description
- Select the source as AD and attribute as Description in Identity mapping
- Build the transform as per your requirements
- In create account provisioning policy, use this Identity attribute for Description attribute
- This will enable attribute sync for description attribute
I wouldn’t go to Services Standard Before Provisioning Rule for just description also not happy with some operations.
Hope this helps 
Thanks
Krish
4 Likes
Thanks @KRM7. But for rehired users, will the CREATE provisioning policy trigger again? as we are just re enabling the existing account.
NOTE: AD account will get deleted after 30 days of termination. So the case here is rehire will happen within 30 days and AD account will be re enabled rather than creating new account
Hi @JackSparrow
Please try what @KRM7 suggested . Also an alternate approach could be to use Enable policy ,
{
"name": "Enable Account Policy",
"description": "Policy to provision attributes for enable users",
"usageType": "ENABLE",
"fields": [
{
"name": "<attribute Name>",
"transform": {
"attributes": {
/////Logic here
},
"type": "<Transform Type>"
},
"attributes": {},
"isRequired": false,
"type": "string",
"isMultiValued": false
}
2 Likes
For enable, create provisioning policy will not trigger.
If AD account is already there then it will be just Enable, you can make use of Enable Provisioning Policy only if you need to send any additional attributes like moving user from Disabled OU to enabled OU by making use of AC_NewParent or even if you have description attribute.
Yes, just enable. You can configure in your Rehire Life Cycle State (LCS), under sources to enable, select your AD source.
After 30 days, If AD account is deleted, if you have any access (Entitlements/Access Profiles/Roles) through Access Request, then AD account will be created automatically.
Cheers
Krish
1 Like
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.