I’m working with Sailpoint ISC and I’m trying to find a way to add the OU attribute to Active Directory accounts. The OU is a string that is generated by concatenating attributes from another source, specifically from HR. Does anyone have experience with this or can provide guidance on how to achieve this? Any help would be greatly appreciated!
Hi Salvatore,
Make an identity.attribute that is the string that you want to sync, then pick an AD.attribute that you want to sync it to.
You may need to ‘side-load’ that attribute to the sync profile using postman.
Hello @phil_awlings,
how would it be possible to create each account into a specific, custom, OU?
For example, we will have OUs determined by Identity attributes (city, country, department) and their concatenation. The final OU could then be OU=Finance,OU=Turin,OU=Italy,OU=MyCompany.
Please note that a different OU exists based on this information so the account management must be dynamic based on the Identity attributes
"OU": "OU=$department, OU=$city, OU=$country, ....",
"department": {
"type": "firstValid",
"attributes": {
"values": [
{
"type": "identityAttribute",
"attributes": {
"name": "department"
}
},
"XX1"
],
"ignoreErrors": false
}
}
Then repeat for each variable that you need
1 Like
You can use the custom transform in the AD provisioning policy to calculate the OU based on identity attributes. The AD account attribute patterns could be
"patterns": [
"CN=$cn,$ou",
"CN=$cn${uniqueCounter},$ou"
]
OU calculation transform could be something like below to dynamically define the OU,
"ou": {
"attributes": {
"city": {
"attributes": {
"name": "city"
},
"type": "identityAttribute"
},
"country": {
"attributes": {
"name": "country"
},
"type": "identityAttribute"
},
"department": {
"attributes": {
"name": "department"
},
"type": "identityAttribute"
},
"value": "#if($city == 'NY' && $country == 'USA' && $department == 'HR')OU=Users,OU=$department,OU=SailpointSB#{elseif}($city == 'NY' && $country == 'USA' && $department == 'Admin')OU=Admin,OU=SailpointSB#{else}OU=Others,OU=SailpointSB#end,DC=domain,DC=com"
},
"type": "static"
}
Hi Salvatore,
Any reason you want to populate this attribute explicitly. I believe it usually auto populated based on the distinguished name of the account.
Regards,
VK.
I was able to generate a custom OU thanks to a Transform. Now I need to create each account in its specific OU. How is it possible to create an AD account in a specific OU (derived from the corresponding Identity attribute)?
Use the CREATE profile and specify the OU in there
Do you mean the “Create Account” section inside the AD source?
In our case I guess it should be like:
The first “ou” is the AD Attribute while the second “ou” below is our custom generated OU from the Identity Attribute.
Please confirm whether I am correct or not
I use VSC, so I meant in there, but you can equally do via postman. And this is the code I’ve used in the past:
{
"name": "Account",
"description": null,
"usageType": "CREATE",
"fields": [
{
"name": "distinguishedName",
"transform": {
"attributes": {
"values": [
"CN=",
{
"attributes": {
"name": "adCn"
},
"type": "identityAttribute"
},
{
"attributes": {
"input": {
"attributes": {
"value": "$sAMAccountName"
},
"type": "static"
},
"regex": "^.*[^0-9]",
"replacement": ""
},
"type": "replace"
},
",",
{
"attributes": {
"values": [
{
"attributes": {
"name": "adGlobalOu"
},
"type": "identityAttribute"
},
",DC=ad,DC=name,DC=com"
]
},
"type": "concat"
}
]
},
"type": "concat"
},
"attributes": {},
"isRequired": false,
"type": "string",
"isMultiValued": false
}
]
}
That’s just for the DN, you will need to define all of the attributes
Sorry, I don’t know about VSC (Visual Studio Code) and I don’t want to use Postman. I need this to be an automatic process in ISC.
My flow is the following:
- From my Authoritative Source I aggregate new Employees along with their data.
- While aggregating, I compute the customOU based on personal data (Company, Country and City of the Employee) along with other static strings.
- In the Identity Profile I set the customOU on to the Identity leveraging a Transform+Rule
- After Creating/Modifying an Identity, I need to automatically propagate the action to AD.
- Newly created Identities will have to be automatically created on AD in the specific customOU
- Modified Identities, if they have changed the customOU, will have their AD account to be automatically moved to another OU in AD according to their updated customOU
In this process, the AD Accounts have to be created inside their customOU. I don’t want to use external processes but just the ISC engine.
Is it possible by setting the Account Correlation as previously shown in my last screenshot or do I need a custom workflow to be triggered in some way?
If you are not using VSC or Postman, how are you getting your transforms into ISC?
Yes, we upload the Transforms via Postman APIs.
The current Transform to generate the OU is already deployed on ISC, we tested it and it populates an Identity Attribute correctly, namely “customOU”.
One thing that I do not understand yet is how to leverage said Identity Attribute when I have to create/move an AD Account.
Would it suffice to enter in the “AD Source > Create Account” and there set the “ou” attribute equal to the Identity Attribute “customOU”?
By giving a second look to your code, I interpret it as a custom Transform to manage the AD Account Creation directly.
- Is my understanding correct?
- Would it be automatically invoked by ISC when creating a new AD Accout?
- So, does it overwrite the standard logics of ISC with the custom Transform logic?
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.