How to do group rename in AD and Azure in IIQ 8.3

umacsaa · March 18, 2025, 2:23pm

Which IIQ version are you inquiring about?

IIQ 8.3*

Share all details about your problem, including any error messages you may have received.

I am seeing an error in logs – “Unable to find matching request during unfiltering”

pravin_ranjan · March 18, 2025, 2:41pm

@umacsaa

I am hoping you are following same approach

Active Directory Connector - FAQ and troubleshooting - Compass

A: The following attributes can be passed in the update provisioning plan to rename or move a user object in the directory.

AC_NewName: String attribute to rename the user. For example, CN=abc
AC_NewParent: String attribute to move the user to new OU. For example, OU=xyz,DC=pqr,DC=com
For more information on this and other special provisioning (like remote desktop services) attributes see: AD Provisioning Tidbits

NOTE:  The javax.naming.ldap.Rdn.escapeValue() can be used to properly escape LDAP cn or distinguishedName values that contain commas.

Can you give more details or share your provisioning plan ?

umacsaa · March 18, 2025, 3:07pm

What you have mentioned would work for User and I am trying to do for group. Here is the plan that I use to do rename

Azure Group Rename

==============

<ProvisioningPlan targetIntegration="Azure AD Cloud">
  <ObjectRequest application="Azure AD Cloud" nativeIdentity="e57abe5e-84af-427c-828f-3365243af98c" op="Modify">
    <AttributeRequest name="displayName" op="Set" value="TestAzureGroup1"/>
    <AttributeRequest name="sysDisplayName" op="Set" value="TestAzureGroup1"/>
  </ObjectRequest>
</ProvisioningPlan>

AD Group Rename

Exiting build plan to modify group

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE ProvisioningPlan PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<ProvisioningPlan targetIntegration="AD">
  <ObjectRequest application="AD" nativeIdentity="CN=TESTADGROUP1,OU=Security Groups,OU=XXXX,DC=XXX,DC=XXX,DC=XXX,DC=XX" op="Modify">
    <AttributeRequest name="cn" op="Set" value="TESTADGROUP2"/>
  </ObjectRequest>
</ProvisioningPlan>

pravin_ranjan · March 18, 2025, 3:36pm

AC_NewName is missing here. try to set attribute request AC_NewName with new cn.

normally i set 3 attributes
a. AC_NewName = new name
b. sAMAccountName = new name
c. displayName = new name

try and let me know

umacsaa · March 18, 2025, 9:55pm

Still the same and getting “Unable to find matching request during unfiltering" error

umacsaa · March 18, 2025, 9:59pm

Trying to decompile identityiq jar and the class file planEvaluator

abartkowski · March 20, 2025, 1:59pm

Add to yours Modify plan for AD this part:

        accountRequest.add(new ProvisioningPlan.AttributeRequest("displayName", ProvisioningPlan.Operation.Set, "Any name"));
        accountRequest.add(new ProvisioningPlan.AttributeRequest("userPrincipalName", ProvisioningPlan.Operation.Set, link.getAttribute("userPrincipalName")));
        accountRequest.add(new ProvisioningPlan.AttributeRequest("AC_NewName", ProvisioningPlan.Operation.Set, "CN=" + newCn));

best regards

umacsaa · March 21, 2025, 5:49am

AC_NewName needs to be set as DN of the new group. It worked after setting with new DN

umacsaa · March 21, 2025, 5:49am

Thank you so much.. It worked

system · May 20, 2025, 5:50am

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.