I can recommend you to use sailpoint service standard before provisioning rule as mentionned here : Services Standard Before Provisioning Rule - Identity Security Cloud (ISC) / ISC Discussion and Questions - SailPoint Developer Community
You should make request to your PS or Sailpoint support to deploy this rule in your tenant. Once deployed you can attach it in your AD source and easlily set those attribute to null the directly in your AD source configuration.
Here the example of how we did currently for one of our usecase :
{
"eventActions": [
{
"Action": "UpdateAttribute",
"Attribute": "telephoneNumber",
"Value": null
},
{
"Action": "UpdateAttribute",
"Attribute": "msRTCSIP-Line",
"Value": null
},
{
"Action": "UpdateAttribute",
"Attribute": "mobile",
"Value": null
},
{
"Action": "UpdateAttribute",
"Attribute": "employeeNumber",
"Value": null
}
],
"Identity Attribute Triggers": [
{
"Attribute": "cloudLifecycleState",
"Value": "inactif",
"Operation": "eq"
}
],
"Operation": "Disable"
}
cloudServicesIDNSetup ⇒ eventConfigurations are optional attributes that can be added to your source configuration under connectorAttributes.
You can define multiple eventActions that will be evaluated and processed by the service standard before provisioning rule.
Note:
-
Make sure that attributes set to
nullare not synchronized; otherwise, SailPoint will override them with synced identity attributes. -
If those attributes are synchronized, you can add a transform to set the associated identity attributes to
nullwhen the LCS is left, for example:
