Failed to update attribute AC_NewParent Error - Access is denied

Hi

I am using services standard before provisioning rule, provided by SailPoint to achieve some of the complex requirements like move accounts from one OU to another during termination/disable.

During disable, I configured the account to be moved to another OU, i.e. from

OU=Users,OU=Resources,OU=SailpointDev,DC=acme,DC=com

to

OU=Users,OU=Terminated,OU=Resources,OU=SailpointDev,DC=acme,DC=com

I am getting this error during termination: Failed to update attribute AC_NewParent Error - Access is denied.

Is there any specific permission tied to a service account for moving accounts from one OU to another, that I might be missing?

Regards
Arshdeep Singh

Hi @arshdeep_thapar ,
Could you please check if you have necessary permissions to do CRUD operations on that terminated OU?

@arshdeep_thapar Mostly, it looks like a service account permission issue.

Did you try doing the move operation using PowerShell or AD tools directly using a service account to ensure it is not a permissions issue?

Also, check the logs in IQService server you will have more detailed logs and AD errors and error codes. Please share the error codes or error details.

Thanks
Raghu

Thanks for your response. It was a permissions issue that was suspected. I checked the documentation and found few permissions were missing on the service account like create and delete accounts. IQService logs helped.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.