Not to update the samAccountName on change of an identity attribute


We are creating the samAccountName using the pattern as ‘$(firstname)$(lastname)$(uniqueCounter)’. The requirement is not to modify the samAccountName when the lastname attribute of the identity is changed.

Can you suggest a way to handle this as I could see samAccountName value changing when the lastname is changed.

Is this pattern used in a transform on an identity profile, or as part of a create provisioning policy or attribute sync? Just need to know where this transform is happening to help come up with a solution.

Also, where does the last name change? Is that in the source account?

The pattern is used to generate samAccountName as part of create provisioning policy.

Also, the last name is changed in the authoritative source system and then aggregated to IdentityNow.

A create provisioning policy is activated only when an identity is granted access to the source, via an entitlement, and no account for that identity exists yet. Configuring Source Account Provisioning - SailPoint Identity Services

Once the identity has an account, the create provisioning policy will no longer be invoked, regardless of any changes to identity attributes.