Which IIQ version are you inquiring about?
8.2
So we have attribute for identity : Email.
We are getting the value of this from AD. But when the Ad is removed still the value remains in the identity i.e. it is not cleared. Is it some glitch or something.
Please help me to resolve
@Amsingh1
what is the source mapping of your identity attribute email, check if it is AD attribute
If its present, make sure you run refresh with synchronize attribute
Hi Satish,
Yes its Mail Attribute of AD. So issue is when the AD is deleted for the user and its cleared out from user application accounts, but still the email value remain as it is.
I mean, please check the Identity mappings, go to global settings and check the source mapping for the field email?
Can you share the ObjectConfig Identity.xml if possible or screenshot of mapping from Identity Mappings
Yes that is from where i told you.
In the Identity Mappings, for the Mail attribute check the modification type if it set to “Permanent”, “Read Only” or “Temporary”.
The functionality you want needs it to be set as “Temporary”.
Hope this helps!
Share the complete screenshot actually what is the type
Hi Amandeep,
Can you try one thing? Instead of doing direct mapping, it’s better to use an application rule or globle rule for identity mapping. In that rule, you have to write a logic like this:
String returnStmt = “”;
//Get the value of the email from the link, update the returnStmt with the actual email, and return it.
return returnStmt;
I hope this might work because it checks every time you do aggregation, and if SailPoint finds the email from the link, then update the email attribute, or if not, then simply return nothing, just like “”, so that it will be updated with nothing value.
So, just give it a try.
Sure will try.
We can return Null when email is not fetched.
Have you tried this? By your screenshot, with “Read Only” configuration it may require a change in the mapping sources attributes to update the Identity Attribute value.
If you set it to “Temporary” it should automatically clean the “email” attribute of the Identity object when it doesn’t have an AD account in your case (source mapping).
Let us know it you get to fix it!
Just a useful recap of the options from the System Configuration documentation:
Enable editing of this attribute from the Identity pages.
Read Only — this attribute cannot be edited from the Identities pages.
Permanent — changes made on the identities pages are not overwritten by refresh tasks.
Temporary — changes made on the edit identities pages are overwritten when an aggregation task brings over a new (changed) value for the attribute.
If you are doing this dont go with Global rule as it will run for all app aggregations, keep only application rule and don’t return null, return empty string actually
You can try that as well. But I remembered when I was working on synch attributes for a few applications, it was not working. So use empty string “” only by having it in application rule.
