I need to perform a move from an Active Directory branch to another branch when the AD account is disabled and vice versa. Looking at the documentation I found this link Best Practices: Active Directory Account Moves - Compass, which refers to a beforeprovisioning rule to implement. I followed the guide and created the rule on my Sandbox environment.
My question is how can I verify that the beforeprovisioning rule works?
In addition to having loaded it, I have not set it anywhere, as for the attributegenerator for example, which call the rule in the provisioning policy.
Can you help me?
Thanks
Creating the BeforeProvisioning rule is a great first step, but it won’t do anything until you link it to your Active Directory (AD) application in SailPoint.
Here’s how to set it up:
Open your AD application in SailPoint.
Click Edit to access the settings.
Find the “Before Provisioning Rule” option.
Select the rule you created from the list.
Click Save to apply the changes.
To check if it’s working:
Try an action that should trigger the rule like disabling an AD account.
Then go to the Identity Requests section in SailPoint.
Open the request and see if your rule was executed and what changes it made.
Thank you for pointing that out, and apologies for the confusion earlier. You’re absolutely right , the steps I mentioned related to IdentityIQ don’t apply here.
I wanted to ask you something.
Following your guide I set the AC_NewParent with the OU for disabled accounts. But the question I ask myself is, on the source will I see the distinguished name populated with the new branch? Or do I also have to import the Distinguished Name attribute in the update policy?
Hi Vito,
After the OU is moved, You will need to do a full aggregation to have the updated OU inside ISC. You don’t need to populate Distiniguish Name
