AfterModify AD connector rule

Please be sure you’ve read the docs and API specs before asking for help. Also, please be sure you’ve searched the forum for your answer before you create a new topic.

My requirement is,

1. I need to create second AD account to an identity based on request. So i configured a new source for the same AD and made entitlements for the new source as requestable.
2. After i create the second AD account, i need to create a new AD group and the identity’s primary AD account as the member of the new AD group
3. After i disable the AD account, i need to remove the membership of the AD group and delete the AD group
4. If i restore the AD account, again the new AD group should be created and add the identity’s primary AD account as the member of the new AD group

After reading various posts and articles, i came to a conclusion that AfterModify connector rule is the best option( i don’t have PTA VA in my env.). - Before and after operations on source account Rule | SailPoint Developer Community

When i execute the AfterModify connector rule i don’t see any identity details in the AccountRequest object.

How can i get the identity details so that i could add the identity’s primary AD account as the AD group member ?

is there any other better approach available than the AfterModify connector rule?

Appreciate your suggestions

Regards,

Kompala

can you use your correlation condition in finding the ADUser object’s primary account?

Thanks for the quick response.
If i understand your reply, you are asking me to do the AD account search using AD commands in the powershell script rather than trying to get the Identity details in the rule ?

correct. I am assuming you must have an attribute on both accounts to correlate it to the identity.

This way, i get the correlation attribute value from AD. If i need to get more Identity attributes i need to make API call to get additional details.
Is there is any other easy way to achieve this ?