Hi,
We have a requirement where we are required to prevent active directory account creation of an Employee or Non-Employee, if the use case is of conversion use case.
i.e. If an Employee becomes Non-Employee, we are required to prevent the AD account creation and instead sync the Non-Employee AD account (it could be active or inactive) with the new employee record.
Similarly, for any new Non-Employee, if converted to employee, we are required to prevent new AD account creation and sync the existing AD account.
Employees and Non Employees are coming from 2 different sources and the the sources’ team do not know any conversion cases at their source level.
The expectation is to find such account when provisioning is happening, and correct the provisioning.
Criteria for identifying such duplicate account is combination of First Name, Last Name and Date of Birth.
I was thinking of triggering a Powershell script using connector before create rule, but not getting a clear picture on how i will achieve all of this.
If anyone have any insights, please post them for review.
Employee and Non Employees both are Authoritative ?
How are you implementing the conversion scenario ?
My assumption is that , user will be removed from one source and will be added in another source .
Does that Account ID of the user changes when user is converted ?
If my understanding is clear , the target here is to , not to create an account to an user {non employee} when converted , instead link the account to existing Identity who is already linked to AD Account?
You can handle one-way conversion out of the box with minimal changes, through identity profile priority. Essentially, if you have 2 authoritative sources with their own identity profiles, then you can configure one identity profile to be of higher priority (Ex: Employee > Contractor).
When the same user has entry in both HR sources, the identity profile with the higher priority would be considered for sourcing the identity attributes.
The accounts that were already correlated to the first identity continue to be correlated even after the priority switch occurs, so no new provisioning should ideally take place. You could however, trigger some updates to the AD through attribute sync or by customizing the plan during before-provisioning rule execution.
Employee and Non Employees both are Authoritative ? : Yes
How are you implementing the conversion scenario ? : There is no process to identify conversions at the Authoritative source level.
My assumption is that , user will be removed from one source and will be added in another source . : We cannot assume that
Does that Account ID of the user changes when user is converted ? : Yes Account Id will come up different for the user but we are not suppose to change it in AD source even when we link the old AD account with new identity record
Let me know if my understanding is correct . : Your understanding is correct, just to add, we want to handle conversion of employee to non employee as well as non employee to employee
Is there any other attribute that remains same in Employee and Non-Employee Sources ?
While there is no direct approach to achieve we can think of workarounds.
For the current implementation, as the account Id is different we have two separate Identities .
It was built specifically to take identity records from multiple sources, combine them into one, and even provides a form for administrators to act on potential matches.