We have a specific requirement for creating new AD accounts in IDN. Currently, we utilize an AD Username Generator Rule in the sAMAccountName field within the Create Policy of the Active Directory source, which has been functioning effectively. However, there’s a new requirement: we need to generate a unique sAMAccountName only once. This means that even if someone leaves and their AD account is deleted in the future, that sAMAccountName should not be reused for new joiners. Therefore, the AD Username rule must generate a unique value that is used only once.
I’m seeking the best approach to implement this requirement in IDN. We considered creating an identity attribute called “lastADUsername” and populating it using the “Identity.setAttribute()” function, but it appears this isn’t permitted in IDN. What alternative solutions could we explore? Any suggestions would be greatly appreciated. Thanks in advance!
For identities to remain long term, the authoritative source needs to retain the identities long term.
If the authoritative source will always retain the identities, you could write back to the source the sAMAccountName, so that if they come back it will be used.
If the authoritative system is not going to maintain the identities long term, a database could be used to retain Identities.
Hi @ts_fpatterson ,
In such scenarios, it is generally observed that a database is maintained to store all historical mail and sAMAccountName of the identities. This enables us to refer back and generate unique emails using beforeCreate or afterCreate rules, or to link the sAMAccountName/email in the case of rehires.
Hi @sahincelik , You can create an alternative source to maintain a backup of the account, storing crucial details such as email and sAMAccountName [Plus more]. You have the option to construct a Delimited File [Manually Create] or create a JDBC source [Provision/Automate Account], and Using the ‘Rule’ as a wrapper this should resolve your issue.
@amahlemohlokonya If I understand you correctly, we can use the ISCRule Util when creating new AD accounts, allowing us to search the DB source to check whether the sAMAccountName is already in use. Is that correct?