Share all details about your problem, including any error messages you may have received.
Our client reported that when the DN of AD accounts changes outside of IIQ, and when that is being aggregated, Sailpoint is not able to track that account since its DN changed. So after running IR, it results in unwanted re-provisioning. (DN is used as the identity attribute in AD config)
But when we tried to replicate this scenario in our sandbox, this was not the behavior. We were seeing ideal behavior where the DN of the link gets updated correctly (instead of any duplicate account getting created or unwanted re-provisioning happening).
Also an entry called “renamedAccountNativeIdentities“ gets created which stores the old DN.
So any thoughts on this?
Would there be anything wrongly configured in the client environment AD?
In IdentityIQ 7.2 SailPoint introduced Native Identity Change Propagation which propagates DN changes to different IIQ objects (links, managed attributes, assignments, policy references, etc.). This uses the GUID/UUID instead of the DN.
This is enabled by default, I’m wondering if they may have disabled it at:
Gear → Global Settings → IdentityIQ Configuration → Miscellaneous → Native Identity Change Event Propagation Settings → “Enable Native Identity Change Event propagation.”
Even with ‘Enable Native Identity Change Event propagation‘ disabled, Sailpoint is correctly updating the DN on the link without any issues.
The only difference I see with that option being disabled is, after the DN change and aggregation and refresh, I don’t see a TaskResult called “Native Identity Change Propagation Request for Account“.