Transform in AD Update Provisioning Policy

tamalika01 · March 5, 2025, 12:28pm

Hi Experts,

I have configured an “Update” Provisioning Policy in the Active Directory source to set the AC_NewParent with the new OU. We have an identity attribute called “xadOu” where we calculate the OU Path based on the user’s country.

Here is the Provisioning Policy:

{
    "name": "Account Update",
    "description": "Account Provisioning Policy",
    "usageType": "UPDATE",
    "fields": [
        {
            "name": "AC_NewParent",
            "transform": {
                "type": "static",
                "attributes": {
                    "country": {
                        "type": "identityAttribute",
                        "attributes": {
                            "name": "countryCodeIso3166"
                        }
                    },
                    "OU": {
                        "type": "identityAttribute",
                        "attributes": {
                            "name": "xadOu"
                        }
                    },
                    "value": "#if($country != '')$OU#{else}#end"
                }
            },
            "attributes": {},
            "isRequired": false,
            "type": "string",
            "isMultiValued": false
        }
    ]
}

The problem now is, the AC_NewParent gets added to the Provisioning Plan for any attribute changes at the moment. Is it possible to calculate in the transform to return a value for the “AC_NewParent” only when there is a change in the country attribute? Is it possible to refer previous attribute values in the transform?

Here is how the plan looks like at the moment when the lastname of the user was updated:

Looking forward to your inputs!

Thanks,
Tamalika

KRM7 · March 5, 2025, 1:02pm

Hi Tamalika,

If you have AC_NewParent in Disable Provisioning Policy then it will execute Update Provisioning Policy as well, as you are updating an attribute. So AC_NewParent in Disable policy will be override with Update Policy.

You can use Native Rule (Connector After Modify) to move user to different OU when there is a change in country.

(or)

Before Provisioning Rule.

– Krish

tamalika01 · March 5, 2025, 1:16pm

HI Krish,

thanks for your response, I was able to figure out a workaround now:

{
    "name": "Account Update",
    "description": "Account Provisioning Policy",
    "usageType": "UPDATE",
    "fields": [
        {
            "name": "AC_NewParent",
            "transform": {
                "type": "static",
                "attributes": {
                    "country": {
                        "attributes": {
                            "values": [
                                {
                                    "type": "identityAttribute",
                                    "attributes": {
                                        "name": "countryCodeIso3166"
                                    }
                                },
                                "null"
                            ]
                        },
                        "type": "firstValid"
                    },
                    "countryAD": {
                        "attributes": {
                            "values": [
                                {
                                    "attributes": {
                                        "sourceName": "Active Directory [QA]",
                                        "attributeName": "co"
                                    },
                                    "type": "accountAttribute"
                                },
                                "null"
                            ]
                        },
                        "type": "firstValid"
                    },
                    "OU": {
                        "type": "identityAttribute",
                        "attributes": {
                            "name": "xadOu"
                        }
                    },
                    "value": "#if($country != \"null\" && $country != $countryAD)$OU#{else}#end"
                }
            },
            "attributes": {},
            "isRequired": false,
            "type": "string",
            "isMultiValued": false
        }
    ]
}

I am now comparing the country value from the identityAttribute and from AD, and if they don’t match, then set the AC_NewParent value.

I am also planning to move the OU movements for leaver and rehire to the UPDATE provisioning policy and have it all in one place along with mover. Since there are other processes that could Disable/Enable an account.

KRM7 · March 5, 2025, 1:24pm

That’s a good approach, in fact I was thinking to have OU movement in Update Provisioning policy for both Disable, Enable and Update operations.

We can make use of UAC (User Account Control) or maybe AD Description in Disable and Enable Provisioning Policies that will trigger Update policy and calculate OU there in Update Policy.

Let me know how it goes.

system · May 4, 2025, 1:24pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.