IDN - Update Policy for Active Directory

bhuvi_kpmg · May 20, 2024, 7:34am

Hi Team,

I need to implement the mover scenario for AD wherein the user’s AD account will be moved to a new OU basis the city change (city is an identity attribute). Can we write a lookup transform on the DN attribute in the UPDATE provisioning policy to handle this ?

Note that, we already have a transform in the CREATE policy on the DN where we are creating the new user account in the specific OU based on the OU-City lookup. Also, we are doing the OU movement in case of “DISABLE” operation (moving to a disabled OU).

Also, what would be the trigger for this update policy & how it’s different from Attribute sync ? Do I need to include all the attributes which are in “Create Profile” in the update policy also (since doubting that attributes in the update policy will only be passed in the plan & IDN will make blank out remaining attributes, have seen this in Wenservice connector)?

kjakubiak · May 20, 2024, 7:39am

It’s not that simple just to change DN to move account in AD. If you want to do that via Active Directory Direct Connector you have to provision AC_NewParent attribute instead of DN. Here you can find some more details

GOKUL_ANANTH_M · May 20, 2024, 8:20am

Hi Bhuvnesh,

Once take a look at the link provided. Best Practices: Active Directory Account Moves - Compass and also https://community.sailpoint.com/t5/IdentityNow-Forum/IdentityNow-Mock-Project-Services-Standard-BeforeProvisioning/td-p/216158

Now, Use Before Provisioning Rule instead of Update Provisioning Rule. This is because, the whole update policy will be called when there is an update in any of the attributes. So, best practice would be to use Before Provisioning rule.

The answer for this is the “attribute sync”. If you have enabled attribute sync for the “OU-City” the update provisioning policy will be triggered. Also, you cannot change the CN and DN value directly by using Attribute sync. As the AD knows only if AC_NewName is called it will be an update event for CN and if AC_NewParent means for DN. This can be done via Attribute Sync or else by Before Provisioning Rule.

Take a look at below two links too,

Only the needy attributes from create profile is enough for Update policy.

Thanks!!

naveenkarthikkrk · May 20, 2024, 8:20am

Hi Bhuvnesh,
I have worked on a similar use case.We have used attribute sync to trigger update operation.We have used create profile to create account in AD and for other operation we have used Services Standard BeforeProvisioning Rule .When a account is disabled in AD then it will move to disabled OU.This is a sample code for disable operation.

 "cloudServicesIDNSetup": {
      "eventConfigurations": [
        {
          "eventActions": [
            {
              "Action": "ADMoveAccount",
              "Attribute": "AC_NewParent",
              "Value": "OU=Disabled,DC=test,DC=local"
            }
          ],
          "Identity Attribute Triggers": [
            {
              "Attribute": "cloudLifecycleState",
              "Value": "inactive",
              "Operation": "eq"
            }
          ],
          "Operation": "Disable"
        }
      ]
    }

To know more about Service stand provisioning rule check this document https://community.sailpoint.com/t5/IdentityNow-Forum/IdentityNow-Mock-Project-Services-Standard-BeforeProvisioning/td-p/216158

schattopadhy · May 20, 2024, 11:14am

@bhuvi_kpmg use this options as stated below:

ty[
    {
        "name": "Account",
        "description": null,
        "usageType": "CREATE",
        "fields": [
            {
                "name": "ObjectType",
                "transform": {
                    "type": "static",
                    "attributes": {
                        "value": "User"
                    }
                },
                "attributes": {
                    "cloudRequired": "true"
                },
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            },
            {
                "name": "distinguishedName",
                "transform": {
                    "type": "rule",
                    "attributes": {
                        "name": "Create Unique Account ID"
                    }
                },
                "attributes": {
                    "template": "CN=$(firstname).$(lastname)$(uniqueCounter),CN=Users,DC=domaincon,DC=com",
                    "cloudMaxUniqueChecks": "50",
                    "cloudRequired": "true"
                },
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            },
            {
                "name": "sAMAccountName",
                "transform": {
                    "type": "rule",
                    "attributes": {
                        "name": "Create Unique LDAP Attribute"
                    }
                },
                "attributes": {
                    "template": "$(firstname).$(lastname)$(uniqueCounter)",
                    "cloudMaxUniqueChecks": "50",
                    "cloudMaxSize": "20",
                    "cloudRequired": "true"
                },
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            },
            {
                "name": "displayName",
                "transform": {
                    "type": "identityAttribute",
                    "attributes": {
                        "name": "displayName"
                    }
                },
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            },
            {
                "name": "manager",
                "transform": {
                    "type": "rule",
                    "attributes": {
                        "name": "Get Manager LDAP DN"
                    }
                },
                "attributes": {
                    "cloudRequired": "true"
                },
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            },
            {
                "name": "mail",
                "transform": {
                    "type": "identityAttribute",
                    "attributes": {
                        "name": "email"
                    }
                },
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            },
            {
                "name": "password",
                "transform": {
                    "type": "rule",
                    "attributes": {
                        "name": "Create Password"
                    }
                },
                "attributes": {
                    "cloudRequired": "true"
                },
                "isRequired": false,
                "type": "secret",
                "isMultiValued": false
            },
            {
                "name": "givenName",
                "transform": {
                    "type": "identityAttribute",
                    "attributes": {
                        "name": "firstname"
                    }
                },
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            },
            {
                "name": "sn",
                "transform": {
                    "type": "identityAttribute",
                    "attributes": {
                        "name": "lastname"
                    }
                },
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            },
            {
                "name": "pwdLastSet",
                "transform": {
                    "type": "static",
                    "attributes": {
                        "value": "false"
                    }
                },
                "attributes": {},
                "isRequired": false,
                "type": "boolean",
                "isMultiValued": false
            },
            {
                "name": "IIQDisabled",
                "transform": {
                    "type": "static",
                    "attributes": {
                        "value": "false"
                    }
                },
                "attributes": {},
                "isRequired": false,
                "type": "boolean",
                "isMultiValued": false
            },
            {
                "name": "primaryGroupDN",
                "transform": {
                    "type": "static",
                    "attributes": {
                        "value": ""
                    }
                },
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            },
            {
                "name": "description",
                "transform": {
                    "type": "static",
                    "attributes": {
                        "value": ""
                    }
                },
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            },
            {
                "name": "telephoneNumber",
                "transform": {
                    "type": "identityAttribute",
                    "attributes": {
                        "name": "phone"
                    }
                },
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            },
            {
                "name": "msNPAllowDialin",
                "transform": null,
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            },
            {
                "name": "homeMDB",
                "transform": null,
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            },
            {
                "name": "testattribute",
                "transform": null,
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            },
            {
                "name": "mailNickname",
                "transform": null,
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            },
            {
                "name": "shadowAccountDN",
                "transform": null,
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            },
            {
                "name": "msExchHideFromAddressLists",
                "transform": null,
                "attributes": {},
                "isRequired": false,
                "type": "boolean",
                "isMultiValued": false
            },
            {
                "name": "SipAddress",
                "transform": null,
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            },
            {
                "name": "SipDomain",
                "transform": null,
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            },
            {
                "name": "SipAddressType",
                "transform": null,
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            },
            {
                "name": "msNPCallingStationID",
                "transform": null,
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": true
            },
            {
                "name": "msRADIUSCallbackNumber",
                "transform": null,
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            },
            {
                "name": "msRADIUSFramedRoute",
                "transform": null,
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": true
            },
            {
                "name": "msRADIUSFramedIPAddress",
                "transform": null,
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            },
            {
                "name": "RegistrarPool",
                "transform": null,
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            },
            {
                "name": "dNSHostName",
                "transform": null,
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            },
            {
                "name": "msDS-SupportedEncryptionTypes",
                "transform": null,
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": true
            },
            {
                "name": "msDS-ManagedPasswordInterval",
                "transform": null,
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            },
            {
                "name": "msDS-GroupMSAMembership",
                "transform": null,
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": true
            },
            {
                "name": "msDS-AllowedToActOnBehalfOfOtherIdentity",
                "transform": null,
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": true
            },
            {
                "name": "servicePrincipalName",
                "transform": null,
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": true
            },
            {
                "name": "externalEmailAddress",
                "transform": null,
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            }
        ]
    },
    {
        "name": "Create Group",
        "description": null,
        "usageType": "CREATE_GROUP",
        "fields": [
            {
                "name": "distinguishedName",
                "transform": null,
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            },
            {
                "name": "sAMAccountName",
                "transform": null,
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            }
        ]
    },
    {
        "name": "Update Group",
        "description": null,
        "usageType": "UPDATE_GROUP",
        "fields": [
            {
                "name": "GroupType",
                "transform": null,
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            },
            {
                "name": "GroupScope",
                "transform": null,
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            },
            {
                "name": "description",
                "transform": null,
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            },
            {
                "name": "mailNickname",
                "transform": null,
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            }
        ]
    },
    {
        "name": "Account",
        "description": null,
        "usageType": "DISABLE",
        "fields": [
            {
                "name": "AC_NewParent",
                "transform": {
                    "attributes": {
                        "value": "OU=disabled,DC=domaincon,DC=com"
                    },
                    "type": "static"
                },
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            }
        ]
    },
    {
        "name": "Account",
        "description": null,
        "usageType": "ENABLE",
        "fields": [
            {
                "name": "AC_NewParent",
                "transform": {
                    "attributes": {
                        "value": "CN=Users,DC=domaincon,DC=com"
                    },
                    "type": "static"
                },
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            }
        ]
    }
]pe or paste code here

system · July 19, 2024, 11:15am

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
IDN - Question about Provisioning Policies for Active Directory Connector ISC Discussion and Questions	5	2166	July 19, 2023
LDAP Account Move during provisioning (LDAP Connector) ISC Discussion and Questions identity-security-cloud , provisioning	9	411	April 13, 2024
AD OU Movement Not Functioning ISC Discussion and Questions identity-security-cloud , provisioning	7	96	September 17, 2024
Ad disable policy update ISC Discussion and Questions transforms , apis , identity-security-cloud , provisioning , attributes	17	402	August 10, 2024
Update Provisioning policy attribute added during create ISC Discussion and Questions	1	1221	July 19, 2023

IDN - Update Policy for Active Directory

Related Topics