Update an AD account attribute only in Sailpoint while creating new account

sahoos9 · March 2, 2025, 8:21am

Which IIQ version are you inquiring about?

8.3

Share all details about your problem, including any error messages you may have received.

*Hi, We have declared an attribute(isPrivileged) in our Active directory application to identify the account Privileged or not based on certain logic. This attribute does not exist in Target. Once the ProvisiongResult is commited, I want to update the attribute only in Sailpoint. I am adding this attribute to the existing account request in After Provisiong rule as below, but its not working.
Please suggest any workaround to do this.

List newAttrRequests = new ArrayList();
for(AttributeRequest tempAttr: attrReqList){
newAttrRequests.add(tempAttr);
}
newAttrRequests.add(new AttributeRequest(“isPrivileged”, ProvisioningPlan.Operation.Set, “True”));
accReq.setAttributeRequests(newAttrRequests); *

chintjub · March 2, 2025, 8:53am

Hi, On which basis you are marking as privileged account in Sailpoint? use account mappings to mark as privileged.

sahoos9 · March 2, 2025, 12:17pm

We are checking based on the entitlement being assigned to the account. If the entitlement is marked as Privileged then the account would be Privileged

iamksatish · March 3, 2025, 1:36am

@sahoos9

Please add the attribute to application xml in below tag and validate if this fixes your issue

<entry key="excludeAttributesFromProvisioning">
  <value>
    <List>
      <String>isPrivileged</String>
    </List>
  </value>
</entry>

Please mark the solution if this resolves your issue

pravin_ranjan · March 3, 2025, 1:48am

There is one more option you can try,

You can use the displayOnly option in the Provisioning Policy Field

Source : Solved: Removing attributes from Provisioning Plan - Compass

sahoos9 · March 3, 2025, 2:02am

Awesome, it works. Thank you very much

iamksatish · March 3, 2025, 2:33am

@sahoos9
FYI, Display only works if the attribute is part of your provisioning policy but if you are setting this specifically during before provisioning rule and not part of your provisioning policies , you should go with excludeAttributesFromProvisioning

pravin_ranjan · March 3, 2025, 5:26am

Nice, you can choose whatever best for your requirement. good luck !

system · May 2, 2025, 5:27am

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Account Attribute to be sent in JDBC Provisioning policy Disable ISC Discussion and Questions identity-security-cloud , provisioning , jdbc-connector	6	39	May 13, 2025
Unable to set attribute value in Before Provisioning rule IIQ Discussion and Questions rules , identityiq , provisioning	3	1129	June 29, 2023
AD account is created but attributes are not updated properly ISC Discussion and Questions identity-security-cloud , provisioning	16	136	June 7, 2025
Multivalued account attributes ISC Discussion and Questions rules , identity-security-cloud	4	91	April 11, 2025
Rest api to update single AD account in target ISC Discussion and Questions apis , identity-security-cloud , provisioning	14	85	March 30, 2025

Update an AD account attribute only in Sailpoint while creating new account

Which IIQ version are you inquiring about?

Share all details about your problem, including any error messages you may have received.

Related topics