Version 8.2
We have been tasked with an issue where we need to set the extensionAttribute property within an Active Directory User based on their Associate Type. Is there a way to set this using a Joiner workflow? Has anyone done this before?
This is a super easy provisioning operation, but I have two preliminary questions, first:
Below are the answers:
Currently they are created in one joiner workflow. We would have an AD account created on this Joiner workflow, so yes there would be an active AD account and know the DN.
If the associate changes associate type we would want this to be removed.
Joiner isn’t the right place for this behavior, then.
You’ll want to add this as a field value rule or script on the “Create” provisioning policy on the AD application. When the AD account is created as part of the Joiner process, the value for that field will automatically be calculated and included in the creation provisioning actions.
Add a new field (anywhere in there) and give it a value script. Ideally, you’d put your value logic in a Rule Library so you can share it elsewhere in your codebase, then invoke that from your Beanshell rule here.
Don’t forget to Apply / Save / Save afterwards. It’s easy to miss.
Then, you’ll want to set up attribute sync somehow, so that if the Associate Type changes, the value is reflected onto the AD account. There are a few options for this, but if Associate Type is an Identity field, the easiest is to set up a Target mapping on the Identity Mappings. That would then be recalculated and updated in AD whenever that Identity attribute changes and a refresh is run including the “Synchronize attributes” checkbox.
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.
