AD Provisioning without AD groups

Hi all,

We have a use case where we need to provision user with a blank AD group. Understand that by default AD user will have a Domain Users AD group assigned by default, but since this is not found in the entitlement list and thus nowhere for us to configure the role-based provisioning, appreciate any input on this.

Thank you!

Using Role

I would say, you can create AD account using any test AD Group using a Role. Add criteria to that Role as should not have the same test AD Group.

With this, User will get AD account first and then Group will be removed. But Account stays.

I know it is ugly, adding and removing.

2 Likes

Hello @sjoyee , you can request your AD team to create one AD group for SailPoint with proper name and description which let everyone know it is meant to be used by SailPoint for default user provisioning.
Then, use that AD group in your role or access profile configuration.

We’ve done the same for one of our customers and it’s good also from a reporting perspective.

1 Like

Unfortunately IDN doesn’t provide for “Account Only” scenarios so you’ll need to use some kind of alternate approach. As @gauravsajwan1 noted - adding a “placeholder AD group” is probably the best option.

Keep in mind it would be a very unusual scenario to have an AD account without any groups assigned also (based on my past 15 years of experience with AD).

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.