I’m looking for guidance on how to automatically add all correlated Active Directory (AD) accounts from the same source and domain—associated with a single identity—to one specific AD group using SailPoint Identity Security Cloud (ISC).
Use Case
A user has multiple AD accounts (e.g., username1, svc_username1) in the same domain, all correlated to one identity in SailPoint.
I need all these accounts—not just the primary or default account—to be added to a single AD group, such as:
CN=MultiAccountGroup,OU=Groups,DC=example,DC=com
Questions
What’s the best approach to iterate over all correlated AD accounts from the same source/domain during provisioning?
Can this be accomplished using a:
BeforeProvisioning rule
PostProvisioning rule
Workflow with loop logic
Or should this be handled in the Access Profile configuration?
Any examples, rule snippets, or references would be greatly appreciated.
Make two sets of Access Profiles
Since you have a naming convention that can identify the accounts, you can make an access profile that is configured for each account type. These can be requested individually or added to a single role.
Use after an After Modify rule
Since events in ISC are targeted to a single account, we need a way to perform actions on the second account. We could use an After Modify PowerShell to programmatically add the entitlement to the second account.
Using a workflow with the Provisioning Completed Trigger
Similar to option two, you could create a workflow to detect that the provisioning is completed, search for the second account and then use Manage Access on to add the entitlement to the account.
Use Case