Hello,
I currently have a provisioning policy to create an active directory account in the it role. When I run an identity refresh that same role provisioning policy is getting triggered. If there a way to only trigger the provisioning policy on the account creation and not every time a refresh event occurs?
Hi @chaynes2434,
do you mean the role is getting triggerend one time after creation or everytime?
Overall, a role, with a match criteria, will be trigger everytime an identity match the criteria and the role is not assigned\detected. So, in your case, I think, the role will be prosioned but not assigned, or not correctly.
Take a look, if the role on identity its ok.
So as not to be triggered, you can remove the match criteria from the role.
This is correct, and it’s unfortunate side-effect of the way IT roles work in IIQ. Basically, to evaluate roles for a user, IIQ calculates all of the matching business roles, then just bulk-reassigns the lot of them to the user in one big ProvisioningPlan. The provisioner expands the roles and filters out anything the user already has, so most of the time, this is a no-op. (You can see it as a provisioning transaction, though!)
So, you won’t be able to suppress the provisioning policy being called. However, you can see the existing value of the field (“current”) in the provisioning policy. You can use this to just return what’s already there, if it’s not a create.