Hello All,
We have a requirement to generate mail from SailPoint. On authoritative aggregation, we create AD account for joiners that generates unique mail in AD (Account attribute generator rule). In the IP mappings, we use a transform like this to populate the AD generated mail in the email identity attribute:
{
"type": "firstValid",
"attributes": {
"values": [
{
"attributes": {
"sourceName": "Active Directory",
"attributeName": "mail"
},
"type": "accountAttribute"
},
"[email protected]"
]
}
}
However, we notice that for all the users upon creation, the AD account is created with the expected generated mail (correct mail generated in create plan request) but then, the modify account is triggered where the mail is reverted back to the fallback mail (as given in transform) and this mail is set in AD. This not just happens a single time, but again the modify account is triggered to the generated mail and some kind of syncs happen in loop.
This happens something like this when looked on event activities:
- Modify acc passed -
Previous value: AD Generated mail
Current value: [email protected] - Modify acc passed -
Previous value: [email protected]
Current value: AD Generated mail - Modify acc passed -
Previous value: AD Generated mail
Current value: [email protected]
And so on.
Luckily, few users have the sync stopped with the correct generated mail set in identity attribute and AD account attribute. While few users have the fallback mail set both as identity attribute and AD account attribute.
What and why exactly happens here though I observe some random order of execution? How to avoid this kind of unpredictable syncs?
Any inputs are most welcome.