Hello All,
We have a requirement to generate mail from SailPoint. On authoritative aggregation, we create AD account for joiners that generates unique mail in AD (Account attribute generator rule). In the IP mappings, we use a transform like this to populate the AD generated mail in the email identity attribute:
{
"type": "firstValid",
"attributes": {
"values": [
{
"attributes": {
"sourceName": "Active Directory",
"attributeName": "mail"
},
"type": "accountAttribute"
},
"no-email@xyz.com"
]
}
}
However, we notice that for all the users upon creation, the AD account is created with the expected generated mail (correct mail generated in create plan request) but then, the modify account is triggered where the mail is reverted back to the fallback mail (as given in transform) and this mail is set in AD. This not just happens a single time, but again the modify account is triggered to the generated mail and some kind of syncs happen in loop.
This happens something like this when looked on event activities:
- Modify acc passed -
Previous value: AD Generated mail
Current value: no-mail@xyz.com - Modify acc passed -
Previous value: no-mail@xyz.com
Current value: AD Generated mail - Modify acc passed -
Previous value: AD Generated mail
Current value: no-mail@xyz.com
And so on.
Luckily, few users have the sync stopped with the correct generated mail set in identity attribute and AD account attribute. While few users have the fallback mail set both as identity attribute and AD account attribute.
What and why exactly happens here though I observe some random order of execution? How to avoid this kind of unpredictable syncs?
Any inputs are most welcome.