Enable Provisioning policy not clearing extensionAttribute

Identity Security Cloud (ISC) ISC Discussion and Questions
, ,
1

We are setting extensionAttribute during disablement, and it is working fine. But, when we re-enable account, extensionAttribute doesn’t get clear. Every other attribute works fine during re-enable.

Disable works fine.

{
    "name": "Account",
    "description": null,
    "usageType": "DISABLE",
    "fields": [
        {
            "name": "AC_NewParent",
            "transform": {
                "attributes": {
                    "value": "OU=Disabled,DC=com"
                },
                "type": "static"
            },
            "attributes": {},
            "isRequired": false,
            "type": "string",
            "isMultiValued": false
        },
        {
            "name": "extensionAttribute",
            "transform": {
                "attributes": {
                    "input": {
                        "attributes": {
                            "input": "",
                            "expression": "now+3d"
                        },
                        "type": "dateMath"
                    },
                    "inputFormat": "yyyy-MM-dd'T'HH:mm",
                    "outputFormat": "MM/dd/yyyy"
                },
                "type": "dateFormat"
            },
            "attributes": {},
            "isRequired": false,
            "type": "string",
            "isMultiValued": false
        },
        {
            "name": "msExchHideFromAddressLists",
            "transform": {
                "attributes": {
                    "value": "true"
                },
                "type": "static"
            },
            "attributes": {},
            "isRequired": false,
            "type": "boolean",
            "isMultiValued": false
        }
    ]
}

Enable: Unable to reset extensionAttribute

{
    "name": "Account",
    "description": null,
    "usageType": "ENABLE",
    "fields": [
        {
            "name": "extensionAttribute",
            "transform": {
                "attributes": {
                    "value": ""
                },
                "type": "static"
            },
            "attributes": {},
            "isRequired": false,
            "type": "string",
            "isMultiValued": false
        },
        {
            "name": "msExchHideFromAddressLists",
            "transform": {
                "attributes": {
                    "value": "false"
                },
                "type": "static"
            },
            "attributes": {},
            "isRequired": false,
            "type": "boolean",
            "isMultiValued": false
        },
        {
            "name": "AC_NewParent",
            "transform": {
                "attributes": {
                    "name": "OU=Ex,DC=COM"
                },
                "type": "identityAttribute"
            },
            "attributes": {},
            "isRequired": false,
            "type": "string",
            "isMultiValued": false
        }
    ]
}

Also. I can see below error during attributeSync but apart from extensionAttribute, everything is working fine… aggregation is fine, account is getting re-enabled, and OU movements are fine during disable and enable

  • Failed to update attributes for identity CN=user,DC=com. Failed to connect to the server for CN=user,DC=com:There is no such object on the server. 0000208D: NameErr: DSID-0310028C, problem 2001 (NO_OBJECT), data 0, best match of: ‘OU=Disabled OU,DC=com’ . HRESULT:[0x80072030]
2

Hey Ashish,

I am not sure if it applies to this case, but I have previously seen issues with IDN trying to provision ‘blank’ attributes. Can you confirm that if you perform the disable and instead set a new attribute value that it sets it as intended (as opposed to using a ‘blank’ value)?

Thank you,

  • Zach
2 Likes
3

Hi Zach,

Yes, I verified and it is updating a new value instead of blank, any idea how to overcome this? Also, by any chance do you have idea why attribute sync throwing “Failed to update attributes for identity” error.

4

We don’t normally use the Enable and Disable account provisioning policies in this way in our environment, so it is difficult for me to simulate this myself. Here are some options you could try:

  1. Can you use just a space in overwriting the attribute (ex. " ")? I know this doesn’t completely clear the field, but it might overcome the issue by making it appear blank.

  2. Can you set a null value as opposed to a blank value? Something like, “value”: null. This works in some cases, but I am not sure if it will work in this case.

  3. Can you set the attribute to some string? I know this doesn’t fit the exact requirement of clearing the attribute, but maybe it would be acceptable to set the “Disabled” string to this extentionAttribute, for example, as a workaround.

As for your questions about attribute sync, since that is a separate item, it would ideally be best to open a new thread on that topic to keep them separate. That way you can provide the necessary information to troubleshoot the issue in that thread without mixing it in with your Disable provisioning policy questions. It also helps other developer community members search through the threads more easily if they are encountering one of these issues also :grinning:

Thank you,

  • Zach
5

@ashishbhatia : Can you please confirm which of the above solutions you implemented and it worked?

I know that sending a different string would work but did you try sending null or space?

6

Hi Shivam,
We added ‘0’ for resetting the attribute.

7

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.