Standard service before provisioning rule for AD OU move during identity attribute change

I’m planning to use Standard service before provisioning rule for AD OU move during identity attribute change but looks like we can just have static value and not able to see the use case, if any changes happened to that identity attribute. Does it mean, we can’t use this for OU move and go with individual before provision rule? I’m trying to use during modify operation, not during disablement.

Identity Attribute Triggers: This checks if the user being modified matches a specific value for an Identity attribute
Configured with a separate key “Identity Attribute Triggers” which is a list of attribute conditions to match
Each match will have an attribute, an operation, and a value.
“Identity Attribute Triggers”:[
{
“Attribute”:“cloudLifecycleState”,
“Operation”:“eq”,
“Value”:“inactive”
},
{
“Attribute”:“employeeType”,
“Operation”:“ne”,
“Value”:“Employee”
}
]
Supported attributes are any attributes available on the Identity
Supported operations
eq: signifies the attribute for the user matches the value
ne: signifies the attribute for the user does not match the specified value
Supported value is Java String based matches. This will support static values or wild card values using the * for any character or
? for a single character (e.g. test_equals matches “test_equals” or “test_*” or “test?equals”). The following will be treated as a
null value
the key word #{null} : “Value”:”#{null}”
an empty string : “Value”:””
null entry : “Value”:null

Hi @Shonnegowda,

The before provisioning rules just alters the provisioning plan before sending it to the connector. The trigger can be Create, Enable, Disable or Modify operation on the account. So you basically need a provisioning event to trigger your OU move.

If you are doing an attribute sync to AD on an AD attribute (eg. EmployeeStatus value as inactive) you can use something as below to make the OU move.

{
                    "eventActions": [
                        {
                            "Action": "ADMoveAccount",
                            "Attribute": "AC_NewParent",
                            "Value": "OU=Disabled,DC=tst,DC=tst,DC=net"
                        }
                    ],
                    "Identity Attribute Triggers": [
                        {
                            "Attribute": "cloudLifecycleState",
                            "Value": "inactive",
                            "Operation": "eq"
                        }
                    ],
                    "Account Attribute Update Triggers": [
                        {
                            "Attribute": "EmployeeStatus",
                            "Value": "inactive",
                            "Operation": "eq"
                        }
                    ],
                    "Operation": "Modify"
                }

Note : Even though it is named as Identity Attribute Triggers, they are not actually triggers they are just Identity filters.

@jesvin90 I’m looking for AD move whenever there is country change happens, so I’m not really sure, how I can pass the value to trigger to verify the country identity attribute change. The document only shows about the static value in the trigger as you have given in the example.

Hi @Shonnegowda,

Are you syncing the country name to AD.? If so, you can make it as the Account attribute trigger and invoke the rule to make the AD OU move.

Yes we are syncing it. You mean we can use it as below?

“Account Attribute Update Triggers”:[
{
“Attribute”:“co”,
“Operation”:“eq”,
“Value”:“*”
}
]

Yes, something like this should work

              {
                    "eventActions": [
                        {
                            "Action": "ADMoveAccount",
                            "Attribute": "AC_NewParent",
                            "Value": "OU=Disabled,DC=tst,DC=tst,DC=net"
                        }
                    ], 
                    "Account Attribute Update Triggers": [
                        {
                            "Attribute": "co",
                            "Value": "*",
                            "Operation": "eq"
                        }
                    ],
                    "Operation": "Modify"
                }

@jesvin90 Can I pass the dynamic country inside the value as below
{
“eventActions”: [
{
“Action”: “ADMoveAccount”,
“Attribute”: “AC_NewParent”,
“Value”: “OU=Users,OU=#{identity.companyCountryCode},OU=Countries,DC=tst,DC=tst,DC=net”
}
],
“Account Attribute Update Triggers”: [
{
“Attribute”: “co”,
“Value”: “*”,
“Operation”: “eq”
}
],
“Operation”: “Modify”
}

Yes, if companyCountryCode is your identity attribute, you can pass it dynamically.

@jesvin90 Thanks for the input. I’ll test this out

One more quick clarification. If we using account update trigger with value as “". can’t we use the same in identity attribute trigger as well? This is not going to work for updates?
{
“eventActions”: [
{
“Action”: “ADMoveAccount”,
“Attribute”: “AC_NewParent”,
“Value”: “OU=Users,OU=#{identity.companyCountryCode},OU=Countries,DC=tst,DC=tst,DC=net”
}
],
“Identity Attribute Triggers”: [
{
“Attribute”: “countrycode”,
“Value”: "”,
“Operation”: “eq”
}
],
“Operation”: “Modify”
}

This will not work.

Identity Attribute Triggers are not actual triggers. They are just filters on Identity attributes.

It is used to limit the triggering of this event to Identities matching a specified criteria.

eg. if you want the above trigger to work only for active users, you can have something as below:

"Identity Attribute Triggers": [
                        {
                            "Attribute": "cloudLifecycleState",
                            "Value": "active",
                            "Operation": "eq"
                        }
                    ],

So the rule will not apply for inactive users having a country change.

@jesvin90 This worked both for OU move and also using dynamic value population inside the value. Thanks for the input