Share all details related to your problem, including any error messages you may have received.
I have an account in the same OU as the rest of our Active Directory users that isn’t a so-called user. It’s a user object, but a shared user account for a specific conference room. Is there a way to just pull in that account? I’ve tried adding an iterator LDAP search, but no such luck. I can’t turn off the option to only refresh accounts with links, because then it brings in a lot of other unnecessary accounts. I was going to create a new AD application and specifically set the DN to just that account, but it doesn’t allow you to have two AD applications. Any one have any ideas on what I can do to bring this one additional account in?
Hi @angie_vetrone,
In the application customisation rule, you can return the object which samaccount name matches with the conference room user that you mentioned that way the object will be returned. If you need to ignore then you have to return null.
Do you want that account to be in IdentityIQ, or you just want to have a look at it?
I’d suggest that you use connectorDebug to pull that account via CLI.
If you want, you may build a Single Account Aggregation rule / workflow and use it to fetch this account. Here’s the reference link for a Compass article for the same:
If you tried it all and if you’re not able to even see this user, Please check if this user belongs to some different object class than a standard one or not. If it belongs to a different object class, you’ll need to build a custom rule to use LDAP queries to fetch this user account in SailPoint, and then convert it to a Link Object from there. This could be a completely different and custom approach.
It should be easy, In Customization Rule you can put some logic like below.
if(object.getObjectType().compareTo(Connector.TYPE_ACCOUNT) == 0 )
{
//Here you will fetch the object.getAttribute("XYZ"); XYZ will be unique for each of account. so easily you can compare and **return null** for other type of account.
if(if it's not conference room) return null;
}
Hi @pravin_ranjan - I tried a few things and looked for other pieces of code to try and replicate, but unfortunately coding isn’t my strong suit. I’m still working on it.
I did also read the “aggregate one account” documentation several times prior to posting this question. I’ve tried all different types of iterater filters ect. The only thing that works is if I uncheck “Refresh Identity Entitlements for all links” which makes sense, however it then brings all the other accounts that I don’t want in as well.
@angie_vetrone
Do you mean you need only one account under the AD Application? Looks like this is not a good approach in reality if that is the requirement
Can you elaborate more about your actual requirement that we can help even with rule if you are not comfortable to code , from there you can start pickup things and learn.
Hi Satish - no, I have thousands of other user objects (identites) from AD in SailPoint. The issue is, is we have other user object accounts used as shared type account for our admin assistants to use to setup boardroom meetings etc. Because this account is in the same OU as the other thousands of accounts, but isn’t technically an identity from HR, that’s where the problem exists. I don’t want to uncheck create identities even if the links don’t exist in the refresh because it’ll bring in the other user object accounts that we don’t want in the system.
Is it possible to share that object from AD and also application xml with search filter
If my understanding is correct, you have already regular user accounts along with that you wanted to bring this account as well however this account is not a regular user and not tied to any valid identity and unchecking the create identities will bring other orphan accounts as well which you don’t want to happen? But Need this account to be aggregated in SailPoint along with other valid users.
Whether than export the whole XML for the app and the full object. Are there certain screen shots that might help?
The account is in the same OU in AD as all the other user objects I’m pulling. I have the entirety of the OU in the Search DN in the application config. I tried adding the orphaned account in the search DN by itself and I also tried adding it in the Iterate Search Filter.
Please send the screenshot from AD showing complete OU and object details with attributes or confirm if you able to search give the same DN and attributes of object and give the search filters you are having in application and also what you tried.
One quick check, if you run the Single account aggregation, is this account aggregating?
Sure I’ll get the other info tomorrow morning. I’m just a bit leery on posting full internal DN’s online.
Regarding your question on whether the single account aggregation pulls in the account, that’s what I’m trying to accomplish. Maybe I’m misunderstanding your question.
Maybe I’m entering the search criteria in the wrong place? Unfortunately, I can’t screen shot due to company policy. I’m entering in the account search criteria in the Iterator Search under the DN field.
So the Account Search DN is: OU=CompanyUsers,DC=Company,DC=com (this is where all the accounts exist that are being pulled.
I’m then entering CN=ConfRoom,OU=CompanyUsers,DC=Company,DC=com in the iterator search. I’ve also tried just CN=ConfRoom as it resides in the inital search DN.
Hi Angie Vetrone,
You are required to modify the value of the Iterate Search Filter in the configuration settings of your application for reference. Please refer to this link for examples.
Caution!! "While aggregating do not select “Detect deleted accounts” Active Directory: LDAP Syntax Filters
Hi Priyam - Thanks. I’m entering (cn=account1) in the Active Directory Application Iterate Search Filter in the User Search Scope section. I aggregated without the detect deleted accounts but still no luck.
