Hello all,
we used v3/create call in order to create an account on a CSV source in IdentityNow. In the body we used the correct sourceId and we would able to see the account in IdentityNow.
Because of its attributes the account was granted with an Active Directory role, which triggered its provisioning to that source. However, we noticed that we were able to see this account on Active Directory in IDN even before running an AD aggregation.
Is that an expected behavior?
Thank you in advance.
Hello Anna,
Welcome to the Dev community! 
Yes, your understanding is correct.
As soon as IDN creates an account and provision access to the target source, it updates the account in the respective identity within IDN as part of the process, before the actual aggregation.
Hi @kvetanna
Yes, as @gauravsajwan1 mentioned,
When an Identity is created or updated, Refresh will trigger for that identity automatically.
This Refresh will grant the AD Role based on your conditions. if conditions are satisfied, AD account Provisioning will be triggered. In my experience, most of the connectors create Link (account) in SailPoint first and then in Target source. That’s why you see the AD account immediately before you run the Aggregation.
Thanks
Krish
Expanding on what others have said -
The way this works, technically, is that any Provisioning operation returns an object of type “ResourceObject”. This is the same object returned by aggregations and is intended to be an image of what the account now looks like, post-provisioning.
IDN uses this object to create an account record on the Identity via (more or less) a mini-aggregation.
SailPoint has had problems in the past where the ResourceObject returned from provisioning and from aggregation were different, causing weird data thrashing. These have largely been corrected.
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.