I have a requirement to update a user’s email / UPN only when the user explicitly requests the change. In standard name-change scenarios coming from the HR source (e.g: first name or last name updates), only the respective attributes such as givenName or sn should be updated in AD via attribute sync. The email/UPN should not updated automatically.
I am seeking guidance on:
How to fulfill this requirement in ISC.
How to trigger controlled email/UPN updates from ISC only when the user requests the change.
Best-practice patterns or recommended configurations to avoid unintended provisioning updates.
Any insights or examples of how others have implemented this would be greatly appreciated.
Best practice would point you towards using an AD account attribute transform on the create profile and then synchronising the email back from AD onto the identity profile.
Following that through means that AD is “authoritative” for email address and so any changes should preferably be done there and not generated in ISC.
In our setup, SailPoint provisions the new AD account for starters and generates the unique email address automatically during account creation. The email is constructed usign the user’s first and last name, and then written back from AD to ISC.
So for new starters, the authoritative creations of email still occurs during the AD provisioning step triggerered by ISC.
The requirement we are looking to solve is specifically for name change scenarios after onboarding. This changes are triggered from HR system. We want givenName or sn updates to flow normally, but email/UPN should only be updated when the user explicitly requests it, rather than automatically during provisioning.
Looking for guidance on how best to support that conditional behavior within ISC.
HI @thiruppathit my point is that best practice would be for it to be handled within the AD environment; ie the user requests it and it gets fulfilled in AD without ISC getting involved (apart from aggregating it following update).
Any ISC-based solution would be over-engineering, IMHO.