How to enforce refresh of an UPDATE provisioning policy?

Hi everyone! I have an AD connector, on which I have an UPDATE provisioning policy, which updates manager when an identity manager occurs (exactly the same transform used by the CREATE provisioning policy).

As is is not part of the syncrhonization process, how can I enforce to synchronize the identity’s manager with AD?

Problem arised because when HR modified some managers, they were updated on IDN, but for some reason they could not be updated on AD. And as this event is lost now, they are not sincrhonized.

Tried sync on AD, but it works only with AD attributes which values come directly from an identity attribute.

Are you able to put the Manager’s DN on an Identity Attribute? Then sync that value as it will now be an Identity Attribute mapping?

Example after setting everyones DN to the adDistinguishedName Identity Attribute:

{
    "name": "Manager DN",
    "type": "rule",
    "attributes": {
        "attributeName": "adDistinguishedName",
        "name": "Cloud Services Deployment Utility",
        "operation": "getReferenceIdentityAttribute",
        "uid": "manager"
    }
}

Another option found here Identity Attribute Context in Transforms | SailPoint Developer Community. The “no manager exists” would need to be modified slightly as that value would throw an error during sync.

{
  "type": "firstValid",
  "attributes": {
    "values": [
      "$identity.getManager().getStringAttribute('adDistinguishedName')",
      "no manager exists"
    ]
  }
}

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.