8.3
[Please insert images here, otherwise delete this section]
[Please insert files here, otherwise delete this section]
[Replace this text with the problem that you are facing]
Write a before provisioning rule. Check the operation in this rule, whenever the operation is disable, then change the plan to modify operation and change the user’s OU to TERM OU.
Similarly you can work for any other operation also.
you can configure the AC_NewParent on your provisioning policy to move the account
The out of the box option is to use Rapid Setup. select the AD application - Leaver Option - enable Move account and enter the OU path.
On rehire events , you need Form field containing
<Field application="Active Directory" displayName="con_prov_policy_ad_distinguishedName" helpKey="help_con_prov_policy_ad_distinguishedName" name="AC_NewParent" required="true" section="Account" type="string">
<ValidationScript>
<Source><![CDATA[
import sailpoint.tools.Util;
try {
if (Util.isAnyNullOrEmpty(value) || !(value.contains("CN=")) ) {
return "must contains full DN value";
} else{
return null;
}
} catch (Exception e) {
return "error: " + e.getMessage();
}
]]></Source>
</ValidationScript>
</Field>
@sathish3004 use ‘enable’ and ‘disable’ operation in the provisioning policies. you can set value of AC_NewParent to change the OU.
@sathish3004 Are you using custom workflow or OOTB workflow for termination and rehire? If you are using custom, you can separate the request one for OU update and other for remaining attribute updates. If you are using OOTB, Sailpoint internally takes care of these transaction.
Note: Found a fix? Help the community by marking the comment as solution. Feel free to react(
, 
, etc.) with an emoji to show your appreciation or message me directly if your problem requires a deeper dive.