How to move AD Account to cross domain?

Hi folks,

I have onboarded an AD application with multiple forests and I am currently working on a use case involving moving an account to a different forest or cross domain. I have tried to use the ProvisioningPlan with AC_NewParent, but it is not working properly. I would appreciate any inputs or sample code related to this issue.

Thanks!

Hi @nmita_tamang

What kind of error are you retrieving? are the forests reacheable among them?

from other side, could you provide the code with are you using, or how are you setting ProvisioningPlan?

Hi @ismaelmoreno1
As of now, I am not able to see any errors. Not sure the forests are reachable or not.

import sailpoint.api.Provisioner;
import sailpoint.api.SailPointContext;
import sailpoint.object.Attributes;
import sailpoint.object.Identity;
import sailpoint.object.ProvisioningPlan;
import sailpoint.object.ProvisioningPlan.AccountRequest;
import sailpoint.object.ProvisioningPlan.AttributeRequest;
import sailpoint.object.ProvisioningProject;
import sailpoint.tools.GeneralException;

    String identityName = "12345";
    String nativeIdentity = "CN=Test User,OU=Users,OU=Active,DC=APAC,DC=Dummy,DC=COM";
    String newBaseDN = "OU=Sample,OU=Users,OU=Active,DC=AMER,DC=Dummy,DC=COM";
    String newDN = "CN=Test User,OU=Sample,OU=Users,OU=Active,DC=AMER,DC=Dummy,DC=COM";

    Identity identityObj = context.getObjectByName(Identity.class, identityName);
    ProvisioningPlan plan = new ProvisioningPlan();
    plan.setIdentity(identityObj);

    Attributes attrs = new Attributes();

    AccountRequest accReq = new AccountRequest();
    accReq.setApplication("AD");
    accReq.setNativeIdentity(nativeIdentity);
    accReq.setOperation(ProvisioningPlan.AccountRequest.Operation.Modify);

    accReq.add(new AttributeRequest("AC_NewParent", ProvisioningPlan.Operation.Set, newBaseDN));
    attrs.put("AC_NewParent", newBaseDN);

    accReq.add(new AttributeRequest("AC_NewName", ProvisioningPlan.Operation.Set, newDN));
    attrs.put("AC_NewName", newDN);

    accReq.setArgs(attrs);

    plan.add(accReq);

    Provisioner provisioner = new Provisioner(context);
    provisioner.setOptimisticProvisioning(true);
    provisioner.setNoLocking(true);
    // provisioner.processWithoutFiltering(plan);
    ProvisioningProject project = provisioner.compile(plan);
    provisioner.execute(project);

    return provisioner.getProject();

Hi @nmita_tamang,

Have you found any solution?

Hi @nmita_tamang ,

This is aa sample Before Provisioning Rule to move account to different OU if there is change in department.

import java.util.List;

import sailpoint.object.ProvisioningPlan;
import sailpoint.object.ProvisioningPlan.AccountRequest;
import sailpoint.object.ProvisioningPlan.AttributeRequest;
import sailpoint.tools.Util;

        String newOU = "OU=ASIA,DC=domain,DC=com";
        if (null != plan && (!Util.isEmpty(plan.getAccountRequests()))) {
            for (AccountRequest accountRequest : plan.getAccountRequests()) {
                if (accountRequest.getOperation().equals(ProvisioningPlan.AccountRequest.Operation.Modify)) {
                    List attributeRequestList = accountRequest.getAttributeRequests("department");
                    if (attributeRequestList != null && !attributeRequestList.isEmpty()) {
                        accountRequest.add(new AttributeRequest("AC_NewParent",
                                ProvisioningPlan.Operation.Set, newOU));
                    }

                }
            }
        }

This is rule is not checking for the uniqueness of nativeIdentity.

2 Likes

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.