Unable to provision new accounts in AD

Identity Security Cloud (ISC) ISC Discussion and Questions
,
1

Hi All,

I have been trying to provision new accounts in AD , with
samaccountName included in provisioning policy as below

{
“name”: “sAMAccountName”,
“transform”: {
“type”: “rule”,
“attributes”: {
“name”: “Create Unique LDAP Attribute”
}
},
“attributes”: {
“template”: “$(ADSeed)$(uniqueCounter)”,
“cloudMaxUniqueChecks”: “50”,
“cloudMaxSize”: “20”,
“cloudRequired”: “true”
},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false
},

Where ADseed is identity attribute and transform it posses is
{
“id”: “61d9a63f-bfe6-477b-a37c-49786a4669bd”,
“name”: “ADseed”,
“type”: “replaceAll”,
“attributes”: {
“requiresPeriodicRefresh”: “true”,
“table”: {
“\s+”: “”
},
“input”: {
“attributes”: {
“input”: {
“attributes”: {
“values”: [
{
“attributes”: {
“input”: {
“attributes”: {
“name”: “firstname”
},
“type”: “identityAttribute”,
“name”: “testingidentity”
},
“begin”: 0,
“end”: 1
},
“type”: “substring”
},
{
“attributes”: {
“name”: “lastname”
},
“type”: “identityAttribute”
}
]
},
“type”: “concat”,
“name”: “Test Concat Transform”
},
“type”: “static”
},
“type”: “lower”
}
},
“internal”: false
}

however its throwing below error.

image
image841×499 30.8 KB

Can someone please share any insights why its not creating account

3

Hey
First ensure the ADSeed transform returns a value. Temporarily hardcode the sAMAccountName template in provisioning policy like this to test:

"template": "testuser$(uniqueCounter)"

If that works, the issue is 100% with your transform.

Then ,Debug Transform Output

Go to the Transform Editor in SailPoint UI, paste your ADSeed transform config, and test it with sample identity data. Make sure:

  • firstname and lastname identity attributes are present.
  • Substring (e.g., begin: 0, end: 1) doesn’t result in null.
  • No field returns blank or undefined.

And then simplify the Transform for Testing

Instead of nesting so many layers, try this simplified version to confirm basic output:

{
  "type": "concat",
  "attributes": {
    "values": [
      {
        "type": "identityAttribute",
        "attributes": {
          "name": "firstname"
        }
      },
      {
        "type": "identityAttribute",
        "attributes": {
          "name": "lastname"
        }
      }
    ]
  }
}

Then confirm Identity Attributes Exist

Ensure the test identity has non-null firstname and lastname. If those values are missing, the transform output will be null — causing the rule to fail.

If you’re using cloudRequired: true, the transform must return a value — or it will fail. Consider setting this to false temporarily while debugging.

Let me know if this works

4

Hi Manvitha,
Thank you for your suggestion.
ADseed is fetching value as transform is working fine. its not provisioning when we use it in policy

image
image517×181 3.81 KB

5

Hi @jesvin90
Thank you for the reply
Can you pls suggest How can we can implement this rule ,
as document doesn’t have proper info

6

Hi @nidhipriya - Can you check case sensitivity on the ADSeed (in rule) vs ADseed (Identity Attribute)?

8

@j_place - Good catch!!
I have tried with “ADseed”
its still showing same error

9

And you can see ADseed is populated correctly on the Identity?

10

@j_place - yes.. its populating

11

Hi @nidhipriya - have you successfully aggregated accounts from AD?

12

@j_place - yes, i did

13

@colin_mckibben - do you have any suggestions to resolve this

14

Apologies for what may seem like dumb questions: Was the aggregation on the same Source to which you want to provision? Was sAMAccountName marked as the Account name?

15

@nidhipriya -

Could you please check for typos.
I suspect the actual Attribute name is ADseed → Here s is smallcase. However in your transform you are calling $(ADSeed)$(uniqueCounter) → Here S is capital.

Please confirm.

16

Hi @officialamitguptaa - Thank you for helping me out.
I had changed whose attributename to smallcase.
I am getting different error now.PFA

{
“name”: “sAMAccountName”,
“transform”: {
“type”: “rule”,
“attributes”: {
“name”: “Create Unique LDAP Attribute”
}
},
“attributes”: {
“template”: “$(adseed)$(uniqueCounter)”,
“cloudMaxUniqueChecks”: “50”,
“cloudMaxSize”: “20”,
“cloudRequired”: “true”
},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: false

image
image802×627 47 KB

17

Hi

Can you confirm if the case mismatch caused the original error?

The new error is probably that you are trying to enable the AD account without setting its password.

18

hi ,
yes case mismatch is the cause.
I haven’t enabled the AD account with password.

19

Hi @nidhipriya - Are you setting userAccountControl in your mapping? If so what value.

20

No .. i am not setting UAC is mapping

21

Can you share what all attributes you are trying to Provision ?
Go to Search → Search the user → Go to Account Activities and share what you see ?

22

HI @nidhipriya - that error is usually associated with password and account status issues. The log entry you posted includes “Error occurred while enabling the account”. To diagnose, try adding a (policy compliant) password to your mappings.