Hi everyone,
I’m working with two Active Directory sources (Domain1 and Domain2) in Identity Security Cloud.
Accounts are created in one of these domains based on the user’s companyID value. For example:
-
If companyID = 10, the account is created in Domain1.
-
If companyID = 20, the account is created in Domain2.
During a mover process (when a user’s company changes), a workflow is triggered that:
-
Disables the old account (associated with the previous companyID).
-
Creates a new account in the appropriate domain based on the new companyID.
Both AD sources (Domain1 and Domain2) have the sync attribute enabled for the companyID → company mapping.
However, this causes an issue:
When the companyID changes from 10 to 20, the new value (20) is synchronized to both accounts — the new one in Domain2 (correct) and also the old one in Domain1 (incorrect).
Expected behavior:
The new company value (20) should only be provisioned on the new account (Domain2).
The old account in Domain1 should retain its original value (10) or remain unchanged once it’s disabled.
Is there a recommended way in Identity Security Cloud to prevent the attribute sync from updating deactivated accounts on the old source during a mover process? For example with Before Provisioning rule ?
Thanks in advance,
Antonio