We need to set some AD attributes to null as part of leaver process. While trying to set value as null part of disable provisioning policy it does not even try those attributes and removes them from the plan is what our observation is. Is there any other way to do it apart from before provisioning rule?
I can recommend you to use sailpoint service standard before provisioning rule as mentionned here : Services Standard Before Provisioning Rule - Identity Security Cloud (ISC) / ISC Discussion and Questions - SailPoint Developer Community
You should make request to your PS or Sailpoint support to deploy this rule in your tenant. Once deployed you can attach it in your AD source and easlily set those attribute to null the directly in your AD source configuration.
Here the example of how we did currently for one of our usecase :
{
"eventActions": [
{
"Action": "UpdateAttribute",
"Attribute": "telephoneNumber",
"Value": null
},
{
"Action": "UpdateAttribute",
"Attribute": "msRTCSIP-Line",
"Value": null
},
{
"Action": "UpdateAttribute",
"Attribute": "mobile",
"Value": null
},
{
"Action": "UpdateAttribute",
"Attribute": "employeeNumber",
"Value": null
}
],
"Identity Attribute Triggers": [
{
"Attribute": "cloudLifecycleState",
"Value": "inactif",
"Operation": "eq"
}
],
"Operation": "Disable"
}
cloudServicesIDNSetup ⇒ eventConfigurations are optional attributes that can be added to your source configuration under connectorAttributes.
You can define multiple eventActions that will be evaluated and processed by the service standard before provisioning rule.
Note:
-
Make sure that attributes set to
nullare not synchronized; otherwise, SailPoint will override them with synced identity attributes. -
If those attributes are synchronized, you can add a transform to set the associated identity attributes to
nullwhen the LCS is left, for example:
