Transform in AD Update Provisioning Policy

tamalika01 · March 5, 2025, 12:28pm

Hi Experts,

I have configured an “Update” Provisioning Policy in the Active Directory source to set the AC_NewParent with the new OU. We have an identity attribute called “xadOu” where we calculate the OU Path based on the user’s country.

Here is the Provisioning Policy:

{
    "name": "Account Update",
    "description": "Account Provisioning Policy",
    "usageType": "UPDATE",
    "fields": [
        {
            "name": "AC_NewParent",
            "transform": {
                "type": "static",
                "attributes": {
                    "country": {
                        "type": "identityAttribute",
                        "attributes": {
                            "name": "countryCodeIso3166"
                        }
                    },
                    "OU": {
                        "type": "identityAttribute",
                        "attributes": {
                            "name": "xadOu"
                        }
                    },
                    "value": "#if($country != '')$OU#{else}#end"
                }
            },
            "attributes": {},
            "isRequired": false,
            "type": "string",
            "isMultiValued": false
        }
    ]
}

The problem now is, the AC_NewParent gets added to the Provisioning Plan for any attribute changes at the moment. Is it possible to calculate in the transform to return a value for the “AC_NewParent” only when there is a change in the country attribute? Is it possible to refer previous attribute values in the transform?

Here is how the plan looks like at the moment when the lastname of the user was updated:

Looking forward to your inputs!

Thanks,
Tamalika

KRM7 · March 5, 2025, 1:02pm

Hi Tamalika,

If you have AC_NewParent in Disable Provisioning Policy then it will execute Update Provisioning Policy as well, as you are updating an attribute. So AC_NewParent in Disable policy will be override with Update Policy.

You can use Native Rule (Connector After Modify) to move user to different OU when there is a change in country.

(or)

Before Provisioning Rule.

– Krish

tamalika01 · March 5, 2025, 1:16pm

HI Krish,

thanks for your response, I was able to figure out a workaround now:

{
    "name": "Account Update",
    "description": "Account Provisioning Policy",
    "usageType": "UPDATE",
    "fields": [
        {
            "name": "AC_NewParent",
            "transform": {
                "type": "static",
                "attributes": {
                    "country": {
                        "attributes": {
                            "values": [
                                {
                                    "type": "identityAttribute",
                                    "attributes": {
                                        "name": "countryCodeIso3166"
                                    }
                                },
                                "null"
                            ]
                        },
                        "type": "firstValid"
                    },
                    "countryAD": {
                        "attributes": {
                            "values": [
                                {
                                    "attributes": {
                                        "sourceName": "Active Directory [QA]",
                                        "attributeName": "co"
                                    },
                                    "type": "accountAttribute"
                                },
                                "null"
                            ]
                        },
                        "type": "firstValid"
                    },
                    "OU": {
                        "type": "identityAttribute",
                        "attributes": {
                            "name": "xadOu"
                        }
                    },
                    "value": "#if($country != \"null\" && $country != $countryAD)$OU#{else}#end"
                }
            },
            "attributes": {},
            "isRequired": false,
            "type": "string",
            "isMultiValued": false
        }
    ]
}

I am now comparing the country value from the identityAttribute and from AD, and if they don’t match, then set the AC_NewParent value.

I am also planning to move the OU movements for leaver and rehire to the UPDATE provisioning policy and have it all in one place along with mover. Since there are other processes that could Disable/Enable an account.

KRM7 · March 5, 2025, 1:24pm

That’s a good approach, in fact I was thinking to have OU movement in Update Provisioning policy for both Disable, Enable and Update operations.

We can make use of UAC (User Account Control) or maybe AD Description in Disable and Enable Provisioning Policies that will trigger Update policy and calculate OU there in Update Policy.

Let me know how it goes.

Topic		Replies	Views
IDN - Update Policy for Active Directory ISC Discussion and Questions identity-security-cloud , provisioning	5	816	July 19, 2024
Standard service before provisioning rule for AD OU move during identity attribute change ISC Discussion and Questions rules , identity-security-cloud , provisioning	12	676	June 22, 2024
AC_NewParent & Multiple OU options for Enable ISC Discussion and Questions identity-security-cloud , provisioning , connectors	2	34	April 24, 2026
Active Directory OU Movement from Disable OU to Original OU ISC Discussion and Questions identity-security-cloud	5	815	April 29, 2024
How we can change the ou? IIQ Discussion and Questions identityiq	6	433	September 24, 2024

Transform in AD Update Provisioning Policy

Related topics