Update Provisioning Policy behavior

Identity Security Cloud (ISC) ISC Discussion and Questions
, ,
1

Hey guys

For the Active Directory source, we are using some attributes on the update provisioning policy.

One of them is the ‘description’ attribute, which needs to change depending on the user’s lifecycle state.

        {
            "name": "description",
            "transform": {
                "type": "static",
                "attributes": {
                    "dataAtual": {
                        "attributes": {
                            "expression": "now-3h"
                        },
                        "type": "dateMath"
                    },
                    "cpf": {
                        "type": "identityAttribute",
                        "attributes": {
                            "name": "cpf"
                        }
                    },
                    "situacao": {
                        "attributes": {
                            "name": "situacao"
                        },
                        "type": "identityAttribute"
                    },
                    "lcs": {
                        "attributes": {
                            "name": "cloudLifecycleState"
                        },
                        "type": "identityAttribute"
                    },
                    "value": "#if($lcs == 'ativo')$cpf#elseif($lcs != 'desligamentoIntempestivo' )$situacao - $dataAtual pelo Sailpoint#{else}Desligamento intempestivo - $dataAtual pelo Sailpoint#end"
                }
            },
            "attributes": {},
            "isRequired": false,
            "type": "string",
            "isMultiValued": false
        },

However, we noticed that whenever an update occurs, multiple “Modify Account” events are created, even if the attributes are updated only once.

Here we can see 4 requests trying to update the ‘description’ attribute:

image
image1917×992 60.2 KB

image
image1917×993 60.2 KB

image
image1917×999 62.1 KB

image
image1915×990 60.3 KB

All of them were opened at 03:03 PM, with the only difference being the seconds.
How does the update provisioning policy work? Should we create an identity attribute and use attribute sync on the source instead?

2

Should we create an identity attribute and use attribute sync on the source instead?

Yes, put your transform on the identity attribute and map it directly to the account attribute so that you can enable attribute sync.

3

Hi

Yes, I have noticed the same thing too. It is like there is an Update call made for every attribute in the Provisioning Policy, even if only 1 attribute is updated!

It is crazy - sending say 3+ updates for a user, when it should only be 1 !

4

@jrossicare is cyclic sync happening you can check this behavior. As if the attribute is being changed after aggregation again