Move OU in Active Directory based on Lifecycle

TPA_SP_ARCH · February 26, 2025, 4:11am

Hello All,

My client does not have the Funding tight now to have the standard rule deployed in ISC so I’ve had to come up with a work around and needs some help.

I have set various lifecycle states to move a user to the respective OU but not sure the best route on AD to move the account in AD. I tired The modify provision policy using the attribute lifecycle and look up transform but I can’t get the account to move to the respect of OU.

Does anybody have any idea ideas or tips to completing this? It would be very grateful so that I could close this request as the uniqueness as it is.

sidharth_tarlapally · February 26, 2025, 9:01am

Hello @TPA_SP_ARCH

Welcome to the Developer Community

We can follow the legacy method for mover scenario for AD.

Sync LCS attribute with Account Attribute on AD - Synchronizing Attributes - SailPoint Identity Services
Implement an After Rule on AD for Modify Operation - Before and After Operations on Source Account Rule | SailPoint Developer Community

Hope this helps !
Thanks!

spgrammatakis · February 26, 2025, 9:18am

Hi,

You can use the DISABLE/ENABLE provisioning policies to move OUs like shown here:

There are more forum posts about this. I would suggest to use ENABLE/DISABLE policies and not the UPDATE/MODIFY ones. Using ENABLE/DISABLE makes sure the actions are taken an account is enabled or disabled, which should happen through lifecycle states ideally.

A question I have on the matter. According to the best practices from the vendor,

we should be using the before provisioning rule but that makes any change made more time consuming than it needs to be. Seeing from personal experience as well as posts from Ambassadors that the provisioning policies work just fine, do we have a reason to use the Rule or the Standard Sailpoint Rule if the requirements can be satisfied using just the provisioning policies?

phil_awlings · February 26, 2025, 10:49am

Hi,
Check out my post which solves all of your issues:

TPA_SP_ARCH · February 27, 2025, 3:26am

Thank you sir.

My question to the group is can i do this with a look up transform as below instead of a static value. If i just do a static vaule on disable it will move OU however the below I am trying and its change the lifecycle and disabling the account but not moving the OU as it should. Any idea would be awsome

{
    "name": "Move Account to Disabled OU",
    "description": "Move Account to Disabled OU",
    "usageType": "DISABLE",
    "fields": [
        {
            "name": "AC_NewParent",
            "transform": {
                "attributes": {
                    "input:": {
                        "attributes": {
                            "attributeName": "cloudLifecycleState"
                        },
                        "type": "identityAttribute"
                    },
                    "table": {
                        "inactive": "OU=Disabled,OU=SailPoint,OU=Test,OU=Accounts,OU=XXXX,DC=XXX,DC=net",
                        "inactiveremoval": "OU=Removal,OU=SailPoint,OU=Test,OU=Accounts,OU=XXXXX,DC=XXX,DC=net",
                        "default": ""
                    }
                },
                "type": "lookup"
            },
            "attributes": {},
            "isRequired": false,
            "type": "string",
            "isMultiValued": false
        }
    ]
}