Attributes keep reverting back to previous settings

Identity Security Cloud (ISC) ISC Discussion and Questions
,
1

Hello SailPoint Community,

I have a strange issue that I couldn’t find any documentation on. I have demo tenant that I am using for a lab. The tenant’s source is a virtual server running Active Directory. In Active Directory, the identity “Jacob Ozone” has a manager, “Maya Villanueva”. For some reason, every time the tenant runs a scheduled aggregation, it changes Jacob’s manager to himself. I reviewed AD and realized Jacob had himself as the manager, so I updated his profile. Unfortunately, every time an aggregation runs, it reverts back to Jacob as the manager. I’m not sure if there’s a simple setting that I’m overlooking.

2025-03-04_10-38-34
2025-03-04_10-38-341319×780 45.9 KB

2025-03-04_10-42-25
2025-03-04_10-42-25390×383 32.1 KB

Sometimes, it corrects itself and changes back to Maya, only to revert again. It feels like I’m playing whack-o-mole!

Some things that I have tried:

  • Ran a manual aggregation from source
  • Ran aggregation from the identity
  • Ensured manager is correctly mapped on the identity profile
  • Removed the manager attribute from the identity profile, aggregated it, and then re-added it.
2

Hi Ismael,

Are you creating users to Active Directory via SailPoint? If yes, pls check the mapping in CreateProvisioning and also verify whether this attribute is part of attribute sync?

Thanks,
Neetu Dixit

3

In your Create Account (and attribute sync), are you using the Manager’s distinguishedName (DN)?

4
  • Can you show us how your Account Correlation configuration on AD source looks like? Probably a mismatch of userId - uid mapping instead of managerId - uid mapping.
  • Also let us know if you have manager field on the Create Account page of the AD source config and what is it mapped to?
  • Is manager part of attribute sync on AD source?
5

No, this is for existing users already in AD. It seems like each time a scheduled aggregation is run, it changes the manager of Jacob Ozone.

6

This is for account correlation:

image
image889×689 43.7 KB

This is the manager field for Create Account:

image
image847×258 10.7 KB

And this is for Attribute Sync. Not sure why manager is not part of it.

image
image1654×557 38.5 KB

8

Thanks for the screenshots @izzy1. Firstly, I’d suggest deleting “Display Name” and “Manager Name” attributes from your Correlation configuration. You do not want to correlate target accounts to their identities based off such conflicting or common fields. Correlation config is defined to link your target account to your SailPoint Identity using a unique identifier. Here “Display Name” and “Manager Name” are not your unique identifiers, hence, please do get rid of them.

The best practice would be to do the below:

  1. On the relevant identity profile, create a new identity attribute to hold the distinguished name for the identity, and map it to the distinguishedName attribute on your Active Directory source.

image
image1755×262 21.4 KB

  1. Upload the below transform to your tenant:
{
	"attributes": {
		"attributeName": "distinguishedName",
		"name": "Cloud Services Deployment Utility",
		"operation": "getReferenceIdentityAttribute",
		"uid": "manager"
	},
	"name": "Determine Manager DN",
	"type": "rule"
}

  1. Create another new identity attribute to hold the distinguished name of the identity’s manager by mapping it to the new transform just uploaded

    image
    image1767×274 23.1 KB

  2. Save and refresh the identity profile and check that the attributes are populated with the expected data.

  • The Distinguished Name attribute should hold the DN of the identity
  • The AD Manager Distinguished Name attribute should hold the DN of the identity’s manager
  • Ensure the identity has a correlated manager and that manager identity has an AD account.
  1. In your Active Directory source, navigate to the create profile and change the mapping of the manager attribute to the new identity attribute:

image
image1301×360 21.8 KB

  1. Navigate to Account Sync on the Active Directory source and enable synchronisation for the manager attribute. Once you do this, the manager attribute would be available to sync. Only attributes mapped directly to “Identity Attribute” on Create Account page would be part of attribute sync.

Try to make these changes and let me know how it goes.

Thanks,
Arshad.

9

Thanks for the info, Arshad. I’m new to using Postman and still learning the API process, so I’m not entirely sure how to submit the transform. So far, I have my PAT and have submitted a couple of test GET and POST requests. Can you give me a quick rundown of how to submit the transform?

10

Belay my last comment. I was able to add the transform and configure it on the identity profile. So far it’s sticking. I’ll check again tomorrow to see if it fully sticks.

11

@izzy1 Hoping the solution worked for you. If yes, please feel free to mark it as solution :slight_smile:

12

It did not. I think the next thing I’m going to try is an unoptimized account aggregation. When I first discovered the issue, I noticed the account in question had himself listed as the manager on the AD source. Maybe it needs a fresh aggregation.

Another thing I noticed with the same account is after every scheduled aggregation, he loses certain roles and entitlements. I’m not concerned about this because it is a demo lab but I can’t help but think both things are related.