We have multiple accounts in a source, but only one is the primary one for each identity. We captured the username for that primary account as an attribute in the identity profile.
We need to assign access profiles to the primary account but the “Multiple Account Options” in the UI only allows attribute matches to a static pattern (equals / not equals / contains a static string).
I tried to use the API endpoint to customize the provisioningCriteria for said access profile in order to pass an IdentityAttribute transform to the “value” parameter, but it seems that input doesn’t work.
Is there any other way to build the matching condition that I can use under “Multiple Account Options”, so we can provision this access profile to the primary account in the target source?
Thanks Shantanu, I’d like to have a dynamic value instead of a hardcoded string.
I tried to use the access-profile API to modify provisioningCriteria using IdentityAttribute transform (whose result is a string), but not sure if that’s supported.
If this doesn’t work, how can I target accounts whose username == primaryUserName for each identity matching the criteria of the role that contain this access profile?
Hey @eabedrapo1 ,
Is there any attribute in target source by which we can decide if that is a primary account or not ?
e.g. if target source is Active Directory, and if there is an attribute called extensionAttribute1, which holds value True or False based on if it is primary account or not…
I am saying this because the multiple account criteria can only be applied on the target source attribute.
Even if what you are trying to do is achievable, its a cyclic condition that might cause issues in the system, because you are trying to compare account attribute value with identity attribute value, which has got the value from the same account attribute.
Unfortunately we’re only able to read from AD, but we don’t have physical access to manipulate AD values (we could initiate a “sanitization project” with the team that manages that mess, but I would rather avoid that because it would take years to complete).
Our workaround to deal with these multiple accounts was to capture the primary sAMAccountName in the identity profile which worked to target some Okta applications that still rely on that AD source. First time I heard about “cyclic conditions” for this approach, could you elaborate further what risks do you see here?
I am just saying that, let’s say, you could use identity attribute with $ sign in the value section of Access Profile Multiple account,
Lets say you have captured “sAMAccountName” in an identityAttribute called “Account Name”. So you will use $accountName in the Multiple accounts section criteria.
Your criteria would be sAMAccountName Equals $accountName.
I am just saying that you are getting the sAMAccountName value in identity Attribute “Account Name” and also at the same time trying to compare that value with the AD Account Attribute “sAMAccountName”.
So, since we do not know which task SailPoint takes up first, taking account attribute value in identity attribute or compare the multiple account criteria, you might end up with error while assigning those access profile to primary account.
This is what I am imagining, assuming that you could use $accountName…
Hi @mohammedfavazhrb, this solution didn’t work, but I think it’s the closest I’ve reached. I’ll explore to resolve this via Workflows, but in the meanwhile I’ll mark your answer as the “Solution” for this thread.