Secondary account creation thru Role Provisioning Policy - misrepresentation of entitlements

Does anyone have experience with Role Provisioning Policies, and account creation triggered through these?


We’ve configured AD application provisioning policy to react on an ‘isPrivileged’ attribute, so it creates a privileged personal account if this attribute is true.

On privileged IT Roles, I’ve set an AccountSelector rule that returns a null link, if identity does not have a privileged account. Then a Role Provisioning Policy, which adds the ‘isPrivileged’ attribute. Role is marked to provision both profiles & policies.

This works well if the identity does not have any personal AD accounts.


If the identity has an existing nonprivileged account, the provisioning gets messed up. The identity will get the role, the additional privileged account is created correctly, security groups assigned correctly in AD, and identityRequest completed correctly.
However, in identity warehouse the entitlements appear twice on the identity. Once as ‘missing on account’, with no account associated. These entitlements are attached to the identity request (source LCM). The other set of entitlements are associated to the correct privileged account and appear on the identity, but source is aggregation – they’re not connected to the request.

I can run a full AD aggregation to get rid of the ‘missing on account’ entitlements, but of course want this issue to not occur, and the entitlements to actually link to the LCM request.


Deep-diving into this issue, I see that the provisioningPlan accountRequest attribute map contains a ‘linkAttributes’ reference to the identity’s nonprivileged account (so the wrong account). I’ve tried to write a beforeProvisioning rule and remove this attribute from the plan, but no difference.

The ‘wrong linkAttributes’ appear in the plan only in the scenarios where the issue occurs, so I’m guessing it’s connected, even if not causing the issue.

Does anyone have experience with using Role Provisioning Policy like this, to trigger additional account creation?

For anyone with a similar issue - turns out it’s due to AD connector issue with GUID as identity attribute.