Modification of AD account

shaileeM · May 9, 2024, 1:54am

Dear All,

We have a use case where one identity can possess two AD accounts on the same AD source. I understand that modification in such cases fail with below error:

Native Identity should not be null or empty

May I understand is there a way to modify just the primary account and do not touch the secondary account.

Any help on this would be appreciated.

Thanks,
Shailee

ts_fpatterson · May 9, 2024, 3:17am

You will want to create multiple AD sources. Be aware of the account types and what access they need in comparison to other accounts on the other source. An example use case might be for privileged accounts where you would want separate entitlements, container placement, etc.

shaileeM · May 9, 2024, 4:17am

Thank you @ts_fpatterson.

Yes you are right, some of the secondary accounts are indeed part of PAM accesses, some are not.

I was wondering if its possible to instruct IDN with correct nativeIdentity value in BP Rule to achieve this?

I understand that creating multiple AD sources is one of the options.

sushantkulkarni · May 9, 2024, 5:51am

Can you also look into this thread for configuring the access provisioning for multiple accounts?
IdentityNow Multi Account Support - Identity Security Cloud (ISC) / ISC Discussion and Questions - SailPoint Developer Community

You can specify a preference here for access requests. But for other modifications, @ts_fpatterson’s suggestion is what generally is preferred due to its simplicity. But if you explicitly need to do it in a single source, as you already mentioned, a complex before provisioning rule will be required to ensure the right account is selected for provisioning.

I would not prefer this approach as there are some considerations with what happens with ProvisioningResult object in the backend, which will need some manipulation to avoid ISC to trigger an unintended retry of provisioning. It can get tricky with ensuring all corner cases are handled in your code. But if you really had to go for it, consider the rule util APIs to fetch the intended account and reconstructing the account request with the necessary downstream use cases handled.

system · July 8, 2024, 5:51am

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
AD Multiple accounts - Attribute Sync ISC Discussion and Questions	2	1010	July 19, 2023
AD account creation bypass ISC Discussion and Questions identity-security-cloud , provisioning , connectors	3	65	October 29, 2024
Modify Account Request for Active Directory after IdentityRefresh ISC Discussion and Questions identity-security-cloud , account-activities	8	182	July 2, 2024
AD: Account created but failed to modify IIQ Discussion and Questions aggregation , identityiq , provisioning , entitlements	11	1115	January 9, 2024
Native Identity should not be null or empty ISC Discussion and Questions aggregation , identity-security-cloud	10	768	May 25, 2024

Modification of AD account

Related topics