Generate Unique Active Directory AccountID using Multiple Patterns

Identity Security Cloud (ISC) ISC Discussion and Questions
, ,
1

The client we are implementing SailPoint IdentityNow require to create Active Directory accounts with multiple generation patterns. The only rule we can find accepts multiple patterns is the “username Generator” but it only works for the accountID which in our case the distinguishedName.

The problem is that they have different OUs for each location, so in case of creating an account similar to one already existing already but in different OU, for SailPoint the whole distinguishedName (accountID) is different so it doesn’t go for the next pattern but for the IQService it’s duplicate account.

We thought about custom “Account Profile Attribute Generator” Rule, but it will require more time that we currently don’t have.

Any ideas on how to generate unique distinguishedName using multiple patterns?

1 Like
2

Hi @AhmedHisham7

You can get the Create Profile of the source and modify the transform for distinguishedName in it.

I am pasting below transform which you can modify and test. Let the ‘sourceCheck’ to be true it will do single aggregation using generated distinguishedName to check if the account with same distinguishedName exists or not.

{
  "attributes": {
    "cloudMaxSize": "100",
    "cloudMaxUniqueChecks": "5",
    "cloudRequired": "true"
  },
  "isRequired": false,
  "multi": false,
  "name": "distinguishedName",
  "transform": {
    "type": "usernameGenerator",
    "attributes": {
      "sourceCheck": true,
      "patterns": [
        "CN=$fi.$ln,$locationBasedOu",
        "CN=$fn.$ln,$locationBasedOu",
        "CN=$fn.$mi.$ln${uniqueCounter},$locationBasedOu"
      ],
      "fn": {
        "type": "identityAttribute",
        "attributes": {
          "name": "firstname"
        }
      },
      "ln": {
        "type": "identityAttribute",
        "attributes": {
          "name": "lastname"
        }
      },
      "fi": {
        "type": "substring",
        "attributes": {
          "input": {
            "type": "identityAttribute",
            "attributes": {
              "name": "firstname"
            }
          },
          "begin": 0,
          "end": 1
        }
      },
      "mi": {
        "type": "substring",
        "attributes": {
          "input": {
            "type": "identityAttribute",
            "attributes": {
              "name": "middlename"
            }
          },
          "begin": 0,
          "end": 1
        }
      },
      "locationBasedOu": {
        "attributes": {
          "table": {
            "Austin": "OU=Austin,DC=YourDomain,DC=com",
            "Houston": "OU=Houston,DC=YourDomain,DC=com",
            "Dallas": "OU=Dallas,DC=YourDomain,DC=com"
          }
        },
        "input": {
          "attributes": {
            "attributeName": "HR_System",
            "sourceName": "Location"
          },
          "type": "accountAttribute"
        },
        "type": "lookup"
      }
    }
  },
  "type": ""
}

use this document for more detail on Username Generator transform.

1 Like
3

The problem is that usernameGenerator doesn’t work work with Active Directory distinguishedName. Since this Generator check for uniqueness on the AccountId, with dynamic OUs sailpoint check for unique full distinguishedName while the IQService check for unique CN value. This behaviour leads to accounts are never created for duplicate accounts in different locations/OUs.

1 Like
4

@AhmedHisham7

Please have a look at this rule that generates unique usernames.

5

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.