SAP HR Modify Provsioning Rule

I am trying to modify email attribute value and write back to SAP HR system. I have referred to the below document and have used the same example rule that is given.
SAP HR Provisioning Modify Rule - Compass (sailpoint.com)

I have created the SAP HR Modify Provisioning rule and have mapped it to the sap HR source as in below ss. As data coming from SAP HR system is not handling the input of emails for users we are using transform to write the email as [email protected]



image

I am trying to refresh the identity from identityprofile and check if this rule is getting triggered or not but in ccg.log I don’t see this rule getting triggered. All the permissions required are set up accordingly. Is there anything that we are missing?Can you please help me with this issue?

If I am not wrong, these rule gets triggered on Attribute Sync.

Correct these are triggered via attribute sync. However the email address attribute is not populated in the SAP HR system, so as and when the identity is created in our system via aggregation, by identity profile mapping and transform the email is being constructed in identitynow. We are trying to modify values and refresh the identity profile of the user.

Is that the reason the identitynow is not able to pick it as attribute sync and trigger this rule. Is there any other way we can test this?

If nothing is provisioning or this is the first time you are setting up provisioning i would first confirm the provisioning permissions, then the value you are using for native ID. The latest rule requires you use Central Person ID as the native ID.

Hi Ruben,

As we are using Employee Number old rule is working, when we sync the attributes manually, this rule is triggering on users but I am getting the below error.
“Provisioning configured but no provisioning rule present.”


I have mapped the modify rule to the source, but is there anything i am missing here?

Try to add this key/value as well?

Attribute Key: provisionRule
Value: operationRule

The connector needs both the “povisionRule” and the “saphrModifyProvisioningRule” attributes to work.

If that does not do the trick, try to put them both at the top level of the object, not in the connectorAttributes. I don’t see any documentation that they should go in the connectorAttributes.

1 Like

Yes adding provisionRule works. I do have one more question, can we modify any other attributes other than email,telephone and systemusername.
Is it possible to update different attribute if I modify this rule to write back different attribute? Could you please let me know about the same?

Hi Team,

We are seeing that email, and USRID attributes are being updated and we can see the changes in the accounts tab of user (previousValue:“xyz”, newValue:“abc”). However, once we run the aggregation this value is changing back to previousValue from newValue.

Is there something we are missing? Is this issue with permissions?We do not see any errors and status is shown as success as in below screenshot.

How do we debug this issue, as there are no logs getting printed for this rule. Can someone please help me here?

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.