We are getting samAccount name updated incorrectly after scheduled attribute sync event.
Scenario: AD account created with samAccount Name as TestUser.
After attribute sync event, we can see the SamAccount Name is changed to Test User (synced with Sailpoint User Name).
The space is added automatically. The same behaviour is seen in mail attribute of Active Directory as well.
On AD account creation, mail attribute is set as [email protected] but after attribute sync events the mail attribute is updated as Work Email like [email protected].
On checking with Attribute sync tab in AD source - we saw that the attributes are added in the list (screenshot attached). Tried disabling the checkbox as well but after next run, the checkbox is enabled automatically. Not sure from where this is getting picked up.
Hey @Mahak14, can you show us a screenshot of the identity attributes for the user whose account is being updated? Account Sync can be disabled on an attribute-specific basis. I’m curious what the SailPoint User Name (uid) and Work Email (email) values are in the identity. Let’s look there first.
Hi Brennen,
Please find attached the screenshot of identity attributes Sailpoint User Name and WorkEmail.
At the time od AD account creation, the samAccountName was BabuRao and mail was [email protected]. But after sync events around 7-7:30 PM IST, the samAccountName and mail attributes were updated to Babu Rao and [email protected] respectively.
FYI - The correlation tab contains logic comparing samAccountName and SailpointUserName , WorkEmail and mail values. Is this because of that? If so, suggest a solution for keeping both the values different.
Hey @Mahak14, from what I’m seeing and from reading your message, it looks like these values in AD are being replaced with the Identity Attributes. This is configured through the Account Sync function that you have in your initial post. Account Sync takes the identity attributes and replaces the account attributes with those values. If you do not want the sAMAccountName or mail attributes to be updated, you have to uncheck the box in the Account Sync tab.
If the checkbox is coming back, it may be because of modifications to the Create Profile. Uncheck the boxes and click Save and Sync. After that, avoid making changes to the Create Profile (or Create Account) tab.
Correlation wouldn’t be related to this, as the correlation logic is what is used to tie the account to an Identity based on matching values.
Now with that said, I think that we may want to take a moment and understand why you do not want to have the uid & email attributes synchronized to AD. If the values in the Identity are incorrect, then that means that the mapping for that Identity Profile may need to be adjusted, or the values from the authoritative source are incorrect.
If you are calculating a sAMAccountName and email address in the Create Profile, perhaps there needs to be a transform or change in logic in the Identity Profile to make sure you are storing the “correct” value in the Identity Details.
Let us know if this information helps. If you continue have problems, we can look deeper into the issue.
