Issue in Provisioning Policy (Add Entitlements) – Email attribute not resolving

henriqueoliveiraIAM · October 6, 2025, 5:37pm

Description:
I’m facing an issue when using a Provisioning Policy in the “Add Entitlements” operation.

The target application requires an email field, but I’m unable to populate it using any of the following options:

Identity attribute (e.g. email)
Account attribute (e.g. mail from AD or HR source)
Even when trying to inject the value via a BeforeProvisioning Rule, the field still arrives as null.

It seems that during the “Add Entitlements” operation, the plan context does not have access to these attributes — even though they are correctly populated in both the identity and account.

Has anyone experienced this limitation?
Is there any specific way to reference identity or account attributes in Entitlement-only operations, or is this a known restriction in ISC?

jsosa · October 6, 2025, 5:50pm

hi @henriqueoliveiraIAM I have seen this problem. I think this is not an issue, plan just does not contain other attribute values not related to current operation.

What I have done to fixe it in other plan operations, is force the attributes to appear using the provisioning policy. In my case, I need the email in the enable and disable operations, so I added it to the Disable and Enable Provisioning Policy. I think you can add it the email field in the Assign Provisioning Policy.

Just create a new Provisioning Policy in Visual Studio Code:

I think type for entitlement addition is Assing (if it works, share here with us, if it does not, try another type).

You can copy the email attribute from the Create Provisioning Policy, but should be something like this:

{
    "name": "Add Entitlement",
    "description": null,
    "usageType": "ASSIGN",
    "fields": [        {
            "name": "mail",
            "transform": {
                "type": "identityAttribute",
                "attributes": {
                    "name": "email"
                }
            },
            "attributes": {},
            "isRequired": false,
            "type": "string",
            "isMultiValued": false
        }
    ]
}

henriqueoliveiraIAM · October 6, 2025, 7:42pm

HI,

this is my provisioning plan:

{
    "name": "Add",
    "description": null,
    "usageType": "ASSIGN",
    "fields": [
        {
            "name": "emailadiciona",
            "transform": {
                "type": "identityAttribute",
                "attributes": {
                    "name": "email"
                }
            },
            "attributes": {},
            "isRequired": false,
            "type": "string",
            "isMultiValued": false
        }
    ]
}

chandramohan27 · November 17, 2025, 12:34pm

@henriqueoliveiraIAM Did this work for you?

henriqueoliveiraIAM · November 17, 2025, 1:18pm

Hello, it didn’t work.

We remind you that creating a before rule retrieved the collaborator’s email address from Sailpoint.

Topic		Replies	Views
Adding entitlement attribute to provision plan in IDN ISC Discussion and Questions identity-security-cloud , provisioning	4	716	February 2, 2024
Reference a provisioning plan attribute in my provisioning policy ISC Discussion and Questions transforms , identity-security-cloud , provisioning	5	1444	January 21, 2024
How to add an attribute from an account to the provisioningPlan ISC Discussion and Questions webservice-connector , rules , identity-security-cloud , provisioning , entitlements	6	747	June 22, 2024
How to add extra attributes to the provisioning plan of the Disable account operation of a web services connector? ISC Discussion and Questions webservice-connector , identity-security-cloud , provisioning	12	1877	February 2, 2024
Add/Remove Entitlement operation $plan placeholder issues ISC Discussion and Questions webservice-connector , identity-security-cloud , provisioning , entitlements	5	1137	December 24, 2023

Issue in Provisioning Policy (Add Entitlements) – Email attribute not resolving

Related topics