Default/Fallback OU

ethompson · April 17, 2023, 1:20pm

A user is provisioned an AD account based on a few attributes such as location and store.

Example:
CN=Jon.Smith,OU=StoreA,OU=LocationA,DC=example,DC=com

If there is a new store and the OU has not yet been created, the provisioning would fail. Is there a way to fallback to a default OU if the initial fails?

Fallback:
CN=Jon.Smith,OU=Default,DC=example,DC=com

colin_mckibben · April 24, 2023, 2:59pm

I don’t think the Active Directory connector has knowledge of what OU’s are available in your AD instance before provisioning the account. Your best bet is to ensure the new store OU is created in AD before you begin assigning identities those OUs. For example, if you are assigning the new store OU based on a role membership or access request, don’t enable those until the OU is created.

If that is not feasible or desirable, you can try to create a before provisioning rule that calls the AD API to check for the existence of the store OU. If the OU doesn’t exist, then set the default.

matt_giblin · April 25, 2023, 3:03am

I believe you could accomplish this via a lookup transform. The transform looks at some attribute, I am looking at location attribute on my Human Resources source, that will give me the data to map to correct OU.

Create a new Identity Profile attribute and chose the source and attribute and then select the custom transform once it gets uploaded.

Create a new custom transform and upload to your tenant. Here is a sample:


{
    "id": "b9003503-a425-4b1f-8060-8adc689286e5",
    "name": "OU-Location",
    "type": "lookup",
    "attributes": {
        "input": {
            "attributes": {
                "values": [
                    {
                        "attributes": {
                            "attributeName": "location",
                            "sourceName": "Human Resources"
                        },
                        "type": "accountAttribute"
                    }
                ]
            },
            "type": "firstValid"
        },
        "table": {
            "Store1": "OU=Store1",
            "Store2": "OU=Store2",
            "Store3": "OU=Store3",
     "default": "OU=Staging"
        }
    },
    "internal": false
}

Once this the transform is uploaded and you have selected it in the Identity Profile test this by using the Preview to make sure the data is accurate. When satisfied update the profile.

Then in the create account for Active Directory you would reference the attribute you created - l used the attribute named OULocation (ex: CN:$(firstname).$(lastname)$(uniqueCounter),$(oulocation), DC=sample,DC=com). The oulocation would be the new identity attribute name. This will create the identity into the correct OU and if that OU doesn’t exist it will place the identity into the Staging OU.

ethompson · April 25, 2023, 4:28am

This is what I was leaning towards for simplicity. There is about 2800 combinations so it will require some scripting to keep it up to date as new OUs are created.

Topic		Replies	Views
AD group or OU creation using powershell ISC Discussion and Questions	3	1863	July 19, 2023
AD before provisioning rule to move OU on disable ISC Discussion and Questions identity-security-cloud	1	1021	July 19, 2023
AD account moves for Disabled Accounts ISC Discussion and Questions	6	3503	July 19, 2023
Error with Active Directory User creation IIQ Discussion and Questions identityiq , provisioning	6	642	October 27, 2023
Attribute Sync issue during termination and rehire(OU movement) ISC Discussion and Questions aggregation , identity-security-cloud	3	290	October 21, 2023

Default/Fallback OU

Related Topics