Best practice to clear an AD single-value attribute in ISC Before Provisioning Rule: Set empty string vs Remove null

Identity Security Cloud (ISC) ISC Discussion and Questions
,
1

Hi SailPoint Community,

I’m working on an Identity Security Cloud Before Provisioning Rule for an Active Directory source.

The use case is related to external user lifecycle management:

  • During Disable / Leaver, the AD attribute adminDescription is set to: UserNotCloud

  • During Enable / Reactivation, the same attribute should be cleared, so that adminDescription no longer contains UserNotCloud.

In the Before Provisioning Rule, during the AccountRequest.Operation.Enable, I currently add the following attribute request:


accountRequest.add(new AttributeRequest("adminDescription", ProvisioningPlan.Operation.Set,""));

The provisioning event shows that the request is sent to the connector:


Committed: Sent to the connector

ACCOUNT REQUEST
Enable account: CN=...

ATTRIBUTE REQUESTS
Set AC_NewParent: OU=...
Set adminDescription: Unknown

So the Before Provisioning Rule seems to be executed correctly, and the adminDescription attribute request is included in the provisioning plan. However, I would like to confirm the best practice for clearing an AD single-value string attribute from an ISC provisioning plan.

My questions are:

  1. For an Active Directory single-value attribute like adminDescription, what is the recommended way to clear the existing value from a Before Provisioning Rule?

Should we use:


new AttributeRequest(
    "adminDescription",
    ProvisioningPlan.Operation.Set,
    ""
);

or:


new AttributeRequest(
    "adminDescription",
    ProvisioningPlan.Operation.Remove,
    null
);

  1. In ISC provisioning events, is it expected that Set adminDescription with an empty string is displayed as Unknown?

  2. Does Operation.Remove with null for a single-value AD attribute mean “clear the value on the target account”, or is it only intended for removing entitlement/multi-value attribute values?

  3. Are there any AD connector-specific considerations when trying to clear an attribute value through a Before Provisioning Rule?

Any recommendation or confirmed best practice would be appreciated.

Thanks!

2

Hi @Antonio1

Great questions. This is one of the AD connector behaviors. Here’s what SailPoint’s documentation and connector best practices say:

Clearing AD Single‑Value Attributes in Provisioning Plans

1. ProvisioningPlan.Operation.Set with empty string ( "" )

  • This sends a “set value” request with an empty string.
  • In AD, that often shows up as Unknown in ISC logs because the connector doesn’t display empty strings cleanly.
  • Result: The attribute may be set to an empty string, but not truly cleared. Some AD attributes don’t accept empty string as valid, so the connector may ignore it.

2. ProvisioningPlan.Operation.Remove with null

  • This is the recommended way to clear a single‑value attribute.
  • For AD connectors, Remove with null translates to “clear the attribute value on the target account.”
  • Remove is not only for multi‑value entitlements — it works for single‑value attributes too.
  • This ensures the attribute is actually blanked out in AD.

Connector‑Specific Considerations
Below are the things need to be consider for AD connector specific when setting attribute as null.

  • AD schema: Some attributes (like description, adminDescription) accept null but not empty string.
  • Logs: Seeing “Unknown” in provisioning events is expected when you try to set "". It’s a connector artifact.
  • Best practice: Use Remove with null for clearing values. Use Set only when you want to replace with a specific string.
  • Testing: Always validate by checking the AD account directly after provisioning — not just ISC logs.

So the answer for your question is:

  1. Use Remove with null for clearing AD single‑value attributes like adminDescription
  2. Yes, seeing Unknown when setting the attribute value as "" expected behavior.
  3. Yes — it means “clear the value on the target account.” and it’s not limited to multi‑value attributes or entitlements. When you use Remove with null, the connector interprets it as “set this attribute to empty/blank,” which clears the field in AD. This is the recommended way to blank out attributes like adminDescription, description, or extensionAttributeX.
  4. See the connector-specific considerations above.

The recommended best practice is to use the 2nd code as “Remove.”

new AttributeRequest(
    "adminDescription",
    ProvisioningPlan.Operation.Remove,
    null
);

Thanks - Shantha

3

Thank you for the clear explanation.

This confirms the behavior we were seeing in the provisioning event, where setting an empty string was displayed as “Unknown” and did not reliably clear the AD attribute.

We will update the Before Provisioning Rule to use Operation.Remove with null for the adminDescription attribute during the Enable/Reactivation flow, and we will validate the result directly on the AD account after provisioning.

Thanks again for confirming that this is the recommended approach for clearing AD single-value attributes.

4

@Santhakumar That’s great that it can be done via the BR Rule. Have you ever managed to it via the Provisioning Policies, either ENABLE or DISABLE? Its not something that I’ve managed to achieve yet. I’ve got a fudge of a workaround, but would love to be able to null an attribute.
Thanks

5

Hey @phil_awlings

The answer is No.

  • Provisioning Policies cannot null out AD attributes by themselves.
  • To truly clear a single‑value attribute, you need a Before Provisioning Rule with Operation.Remove/null