I am trying to understand some behaviour in my environment. Some connector has this update provisioning policy:
At an Identity Refresh, this attribute is added:
Sync is disabled for all attributes in this connector. Why is policy called at identity refresh? Connector process it like an update.
(I understood that provisioning policy add attribtues to the plan, but only to sync events.. I am wrong?)
I’m not sure why this is added, but if you are using VS Code, I too can see this behavior when I do some update in AD provisioning plan via SailPoint ISC VS Code Extension. So, I get rid of it by using the provisioning plan APIs via Postman. Somehow the VS Code extension is not behaving correctly on provisioning plan.
@yannick_beot Would this is make sense to you if they are using VSCode to update their provisioning plan?
No, it does not make sense @agutschow…
I fail to see what could be the difference between the VSCode Extension and calling the API and the VSCode extension is ultimately using the API…
@suresh4iam Can you give more details? Which endpoint are you using? With which payload?
@Juanisola Are you updating the plan? Is there a chance that the attribute is not read back during an aggregation?
@yannick_beot For example, recently when I was trying to remove the attributes from ENABLE provisioning plan in VS Code extension, it did remove and saved. But during the next account provisioning, the attributes are recreated again in the policy. So, I used update-provisioning-policies-in-bulk | SailPoint Developer Community API and added the entire provisioning policy which includes all the usage types such as CREATE, UPDATE and ENABLE. I updated ENABLE plan with empty fields like below.
{
"name": "Enable",
"description": null,
"usageType": "ENABLE",
"fields": []
}
This resolved my issue and it keeps the other provisioning policy and only cleaned up the ENABLE policy. Also it didn’t work when I used update provisioning policy API update-provisioning-policy | SailPoint Developer Community to only update ENABLE usage type. This returns 200 response but not updated the provisioning policy.
Let me know if you need any other information.
@jsosa this is the default behavior of update provisioning policies — they are triggered during an identity refresh, whether the attribute is modified or not. We are experiencing a similar issue with the HCL Domino connector.
I saw a post from SailPoint that recommends not using them. I will try to find this post again and share it with you.