Clear AD manager by provisioning policy

guilherme_sec · February 5, 2026, 9:19pm

Hi everyone, I’m having trouble clearing the manager field in Active Directory. I need to clear this field when the identity is terminated, but it’s doing something wrong.

{

"name": "Disable",

"description": null,

"usageType": "DISABLE",

"fields": \[

    {

        "name": "manager",

        "transform": {

            "type": "static",

            "attributes": {

                "LCM": {

                    "type": "identityAttribute",

                    "attributes": {

                        "name": "cloudLifecycleState"

                    }

                },

                "value": "#if($LCM == 'terminated')-#{else}#end"

            }

        },

        "attributes": {},

        "isRequired": false,

        "type": "string",

        "isMultiValued": false

    }

\]

}

markomanium · February 6, 2026, 12:27am

Hello, It’s most likely an error from AD end. Have you tried replacing “-“ with some string or letter? It could be that special characters aren’t allowed.

sanatar · February 6, 2026, 2:26am

You’re encountering this behavior because Velocity logic is not evaluated within a Static Transform in SailPoint. Static Transform returns the value as-is (literal), so the manager attribute is never cleared as intended.

Recommended approach: Use a Conditional Transform
ISC provides a Conditional Transform designed for scenarios like this, where the output should vary based on an identity attribute or expression.

[Conditional | SailPoint Developer Community]

Example: Clear the AD manager attribute when lifecycle = terminated

{
  "name": "manager",
  "type": "string",
  "isRequired": false,
  "isMultiValued": false,
  "transform": {
    "type": "conditional",
    "attributes": {
      "expression": "$lcm eq 'terminated'",
      "positiveCondition": "",
      "negativeCondition": null,
      "lcm": {
        "type": "identityAttribute",
        "attributes": {
          "name": "cloudLifecycleState"
        }
      }
    }
  }
}

guilherme_sec · February 6, 2026, 12:04pm

Hi, SathishKumar, Thank you for your help, but the error persists.

j_place · February 6, 2026, 12:15pm

Hi @guilherme_sec You can’t set the manager AD attribute to “-” as, if included, it has to be a DN to an existing object.

vguleria · February 6, 2026, 12:21pm

Hi @guilherme_sec

This constraint violated error is most likely from the AD side as it does not allow to set manager as “-”. From my experience, it should be a proper reference to another user via DN of the user or you may set it as blank which ofcourse will require you to update the transform. And frankly i am not even sure if you can return blank value from disable provisioning policy as it might skip the update if you try to do so.
So, i would suggest to clear manager from identity level or use powershell script to update the manager and set it blank.

Thank You
Regards
Vikas.

Topic		Replies	Views
Clear ‘Manager’ and ‘ManagerDN’ identity attributes for inactive users ISC Discussion and Questions	21	3487	July 19, 2023
Active Directory manager sync - block for inactive users ISC Discussion and Questions identity-security-cloud , provisioning	5	456	January 21, 2024
Any update in Services Standard IdentityNow BeforeProvisioning Rule is not working ISC Discussion and Questions identity-security-cloud	7	107	June 7, 2025
Unable to send null value on manager attribute in AD via attributeSync ISC Discussion and Questions identity-security-cloud , provisioning	8	1015	August 22, 2023
How to clear boolean attribute during provisioning for Active Directory ISC Discussion and Questions identity-security-cloud , provisioning	10	924	March 24, 2024

Clear AD manager by provisioning policy

Related topics