Any update in Services Standard IdentityNow BeforeProvisioning Rule is not working

Identity Security Cloud (ISC) ISC Discussion and Questions
1

Hi,
During user offboarding, following actions are performed. The manager updateAttribute code has been added recently. But when offboarding happens, manager value is not getting set to null or empty.

           {
                "eventActions": [
                    {
                        "Action": "ScramblePassword",
                        "Attribute": "password",
                        "Value": null
                    },
                    {
                        "Action": "UpdateAttribute",
                        "Attribute": "description",
                        "Value": "Disabled by IdentityNow Automation on #{now.MM/dd/yyyy}"
                    },
                    {
                        "Action": "UpdateAttribute",
                        "Attribute": "manager",
                        "Value": null
                    },
                    {
                        "Action": "ADMoveAccount",
                        "Attribute": "AC_NewParent",
                        "Value": "OU=Disabled Users,DC=poc,DC=dcphpoc,DC=com"
                    }
                ],
                "Identity Attribute Triggers": [
                    {
                        "Attribute": "cloudLifecycleState",
                        "Value": "inactive",
                        "Operation": "eq"
                    }
                ],
                "Operation": "Disable"
            },
2

Hi @jkalle,

The manager update should work as part of the rule.

Do you have an attribute sync for the manager attribute that could be re-populating the value in AD.?

1 Like
3

Hi Jagadeesh,
This is working fine in my environment. I have not seen any issues related to the same. Could you please let me know you configuration for the same ? Are you removing the attribute from authorative source ? If no then you will need to remove it from Authorative source then only it will remove it from the target.

Thanks
Rakesh Bhati

4

Yes we do have Manager attribute sync.Do you it is populating from SailPoint Identity to AD account?

5

Hi Rakesh, We cannot remove Manager value from authoritative source.

6

If you remove the manager value through the Before Provisioning rule, but you have attribute sync setup on the manager, it will populate the value back into Active Directory. You can set the value of manager from your auth source into a manager attribute but also create a specific identity attribute (ex. ADManager) to sync the manager to AD. Use a transform to remove the manager value from ADManager once the user has been moved into the OU=Disabled Users.

Note: You don’t want to update the ADManager attribute until after the user has been moved into the disabled OU. Otherwise you will get an event that is trying to clear the ADManager attribute in the original OU and the event to disable the account and move to the OU=Disabled users. The events will compete and one will like error.

7

Will try to create a transform to remove the manager value. That seems to be reasonable solution here. Thanks Alicia

8

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.