Atomic account updates

Hoping that someone has implemented a similar use-case.

We need to do a SOAP integration with the Web Services connector involving accounts, groups and group memberships.

When provisioning accounts, the target system requires all updates to accounts to be atomic - in that every attribute and group membership must be present on an account that is provisioned to the target system, any time the account is updated or gets a groupmembership added or removed.

So my question is, has anyone tried implementing something like this?

Seeing as it doesn’t seem possible to enrich a provisioningPlan for every operation in ISC itself, I’m thinking to call the ISC API from a BeforeRule and fetch the identity and any entitlements for the relevant account being updated so that I can enrich the SOAP payload before it is sent, but I’m wondering if there’s an easier way to do it.

If you have to send only all the account attribute you can change the “Update provisioning policy” and make it similar to the creation provisioning policy , but since you should send all the entitlements, think about using Before Provisioning Rule to enrich the provisioning plan, see if you can get the links and the associated accesses.

Thank you for the suggestion.
I solved it with before/after rules on the Web Services connector, since the cloud rule approach is too cumbersome for our client.