How to clear boolean attribute during provisioning for Active Directory

Identity Security Cloud (ISC) ISC Discussion and Questions
,
1

Hello,

I am trying to have provisioning setup so that property msExchHideFromAddressLists is set to true during Disable Account provisioning and set to during Enable Account provisioning, however I cannot clear the value the life of me. True and False get successfully written to AD but clearing it is seemingly not possible, even though it is the default value and you can clear it via powershell just fine.

      {
        "name": "msExchHideFromAddressLists",
        "transform": {
          "type": "static",
          "attributes": {
            "value": null
          }
        },
        "attributes": {},
        "isRequired": false,
        "type": "boolean",
        "isMultiValued": false
      }

Values I have tried to clear the attribute with, so far: 0, “0”, " ", “”, “Not Set”, “NotSet”, “NOT SET”, null, “null”, “Disabled”, “”

All of these turn into True or False.

Any ideas on how to clear the attribute via provisioning policies?

2

Is this setup in your Create provisioning policy? if so, it only applies when an account is created and not during attribute sync which is what you may want. I’d recommend and have done this by having an Identity attribute with the true/false value needed and then enable attribute sync on that attribute. msExchHideFromAddressLists is opposite boolean value of Active = True for example so you may want to create an inverse attribute called Disabled and have it hold the correct boolean value for the disposition of the account. In this case if Disabled == true, then it will set msExchHideFromAddressLists to true and hide the account when disabled.

3

ENABLE : msExchHideFromAddressLists - “”
DISABLE : msExchHideFromAddressLists - true
CREATE : msExchHideFromAddressLists - “”

It starts empty by default because thats its default value in AD, but I cannot set it empty again.

4

Since the attribute type is boolean, I don’t think you can have null values.

If you can make use of Before Provisioning Rule or Native Rule (After Modify Rule) with PowerShell script, you can implement.

5

I wonder if changing it to a string on sailpoints side would allow me to work around this.

6

I am not sure if you can do it using IDN provisioning policy but you should be able to set the ‘msExchHideFromAddressLists’ attribute to empty/null using PowerShell something like below -

Set-ADObject -Identity <AD DN> -Clear msExchHideFromAddressLists

Above PowerShell cmdlet can be trigger based on IDN events like CREATE, ENABLE and DISABLE (as you mentioned above) using AfterCreate and AfterModify IDN connector rules.

HTH!

7

Like Krishna Reddy Mummadi said you can’t set it to null. you just need to flip between true and false. If its never been set then it is null which evaluates to false. Once you set to true to hide a mailbox, you then set to false to unhide it. you don’t need to clear it.

8

I did, however now I have another problem. When someone disables/enables an account outside of IDN, the attribute isnt updated. I need to add provisioning of the attribute on UPDATE but I need to know whether the account is enabled. How would I check that in a provisioning policy?

9

@lukas_ceremeta - You may implement Native change detection detects when accounts have been created, updated, or deleted out-of-band. You can use native change detection to remediate incidents where accounts are changed or entitlements are assigned outside the Identity Security Cloud.
You can set up the following event triggers to listen for native changes:

For more info refer below -

10

I do not have an HTTP server set up for this. Is it really not possible to check whether an account is enabled/disabled inside a transform/provisioning policy ?

11

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.