Multiple account in single application of AD

Which IIQ version are you inquiring about?

Version 8.4

Share all details related to your problem, including any error messages you may have received.


I have a multi forest active directory setup onboarded into SailPoint as a single application, where there is a 2 way transitive between all the domains.
There are 2 forest and each forest has 2 domains each. When a single entitlement is requested for a new user, account is created based on the domain where the group is located. I have a business role which has entitlement from 2 forest, now only one account on one forest is created and the second account is not able to created?

How do I tackle this?

If you are managing permissions via business roles you can create account selector rule for it role which will either assign permission to correct account (if 2 accounts) are available in the identity or will return new link object. This will trigger account creation in AD. The only thing is that you have to handle this also in your AD provisioning policy.

Okay, What if there is joiner role for new user. But I want to create two account which will have access to one group each. but even if I create seperate role, IIQ only identifies one account not two and tries to provide both roles under same account

How do I tackle that?

Let me summarize if i understand correctly

You have group1Domain1 entitlement and group2Domain2 entitlement.
You have new joiner and you want to create account in Domain1 with group1Domain1 and second account in Domain2 with group2Domain2 wntitlement right?

In this case i would create 2 IT Roles with 2 account selector rules with the following logic

import sailpoint.object.Link;
  Link bestCandidate = new Link();
  String expectedDomain = "Domain1";
  if(links != null) {
    for(Link link : links) {
      //see if this is a good candidate
      String linkDomain = link.getAttribute("DOMAIN_ATTRIBUTE");
      if(linkDomain.equals(expectedDomain)) {
        bestCandidate = link;

  return bestCandidate;

This will ensure the group is always assigned to Domain1 account. You can make similar one to Domain2 and this way you can drive to which domain you will assign group.

If you want to have two differente accounts being crated you need to have a Sailpoint only Account attribute that can differentiate the two accounts.
Like a Type attribute.
And you can have a assigment rule to only create the second account if the first one exists, and this second you can use the Role Account Selector rule to return a New Link() instead of the “first account” link.

If you want i can help you more with it.

I would say please revisit the design and check if the single application will fullfil your need or you need to create multiple application based on domain / sub domain .

This would be very important otherwise changing application model would be very difficult .

I have seen many sceanrio were company has created just one application and they land up with multiple issue , rather if they would have created multiple application then they would have able to achieve their requirement in much sipliar way with less complex code .

Hi Balaji,

Assuming you require 2 AD accounts for joiner, You can add a conditional custom step into the joiner workflow which would return a plan. The plan should have 2 account requests, set the native identities for both account requests [calculate the account dn as native Identity] return the plan.

The result variable of the step should be the plan, and transition to LCM provisioning in the next step. This should do the trick.

1 Like

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.