Our AD attribute sync works properly overall except the ManagerDN attribute. For this attribute we have a cloud rule to calculate ManagerDN value. And in case of terminated users, this identity attribute is set to null value on the termination date. So, on the termination date, SailPoint evaluates this rule along with lifecyclestate ( turns inactive). Both these attributes get updated correctly on the terminated Identities. ManagerADDN is mapped to manager attribute on AD source and selected for attribute sync. along with some 20 other attributes on AD source.
This has been working well until end of October. But somewhere from November onwards there is inconsistent behaviour with manageDN attribute sync only while rest of the attributes are synched alright. In a set of random 10 terminations, some identities would have the null value synched for manager to AD and some don’t.
I can’t find anything specific in the logs ,as there is no modify event logged for those identities which missed out attribute sync with ManagerDN attribute. A manual attribute sync on such identity does send the null value to AD manager attribute. I have seem some topics with similar issue but for them it seems working after some correction to their manageraddn transform.
Is anyone facing similar inconsistent behaviour with attribute sync when a null value is involved?
What can I do to do in depth investigation of this issue? I have compared results for identities from past 3 months and hence see this as inconsistent.