Any update in Services Standard IdentityNow BeforeProvisioning Rule is not working

jkalle · March 21, 2025, 6:28pm

Hi,
During user offboarding, following actions are performed. The manager updateAttribute code has been added recently. But when offboarding happens, manager value is not getting set to null or empty.

           {
                "eventActions": [
                    {
                        "Action": "ScramblePassword",
                        "Attribute": "password",
                        "Value": null
                    },
                    {
                        "Action": "UpdateAttribute",
                        "Attribute": "description",
                        "Value": "Disabled by IdentityNow Automation on #{now.MM/dd/yyyy}"
                    },
                    {
                        "Action": "UpdateAttribute",
                        "Attribute": "manager",
                        "Value": null
                    },
                    {
                        "Action": "ADMoveAccount",
                        "Attribute": "AC_NewParent",
                        "Value": "OU=Disabled Users,DC=poc,DC=dcphpoc,DC=com"
                    }
                ],
                "Identity Attribute Triggers": [
                    {
                        "Attribute": "cloudLifecycleState",
                        "Value": "inactive",
                        "Operation": "eq"
                    }
                ],
                "Operation": "Disable"
            },

jesvin90 · March 24, 2025, 9:16am

Hi @jkalle,

The manager update should work as part of the rule.

Do you have an attribute sync for the manager attribute that could be re-populating the value in AD.?

RAKRHEEM · March 24, 2025, 11:07am

Hi Jagadeesh,
This is working fine in my environment. I have not seen any issues related to the same. Could you please let me know you configuration for the same ? Are you removing the attribute from authorative source ? If no then you will need to remove it from Authorative source then only it will remove it from the target.

Thanks
Rakesh Bhati

jkalle · April 1, 2025, 7:06pm

Yes we do have Manager attribute sync.Do you it is populating from SailPoint Identity to AD account?

jkalle · April 1, 2025, 7:08pm

Hi Rakesh, We cannot remove Manager value from authoritative source.

agutschow · April 1, 2025, 8:48pm

If you remove the manager value through the Before Provisioning rule, but you have attribute sync setup on the manager, it will populate the value back into Active Directory. You can set the value of manager from your auth source into a manager attribute but also create a specific identity attribute (ex. ADManager) to sync the manager to AD. Use a transform to remove the manager value from ADManager once the user has been moved into the OU=Disabled Users.

Note: You don’t want to update the ADManager attribute until after the user has been moved into the disabled OU. Otherwise you will get an event that is trying to clear the ADManager attribute in the original OU and the event to disable the account and move to the OU=Disabled users. The events will compete and one will like error.

jkalle · April 8, 2025, 1:35pm

Will try to create a transform to remove the manager value. That seems to be reasonable solution here. Thanks Alicia