Update provisioning policy -how to apply retroactive

Hi! I have an AD connector, with manager attribute in a Provisioning Policy in order to reflect identity manager change reflected in AD.

I have just configured, while solution is live since about a month. Manager updates performed in this time are not modifying AD account. Identity Profile refresh also not working, only works for new manager changes.

Is there some way to force?

Have you tried to run an unoptimized agg for that source?

When you update the manager attribute in Active Directory, you need to send the distinguished name (DN) of the Manager’s Active Directory account. Does your Create Account/Attribute Sync use an Identity Attribute that is populated with the DN?

1 Like

Hi Carl, manager update is not treated directly from some identity attribute, that’s why is not in sync also. I use the ootb rule, for updating I have an update provisioning policy.

Problem that after the moment that I add the update provisioning policy, it works ok for new manager updates. But does not equalize previous identities with managers different from AD.

Provisioning Policies only run when the system is doing some sort of provisioning on an Identity. So it is working on your new manager updates, because some sort of provisioning is occuring on those accounts and then the Provisioning Policy kicks in.

But out of sync accounts won’t get updated until a provisioning event happens.

My recommendation would be to do the following:

  1. Create an IdentityProfile Attribute which pulls in the distinguishedName for the Identities account in Active Directory. Lets call this Attribute “adDistiguishedName”
  2. Create a Transform that gets the “adDistriguishedName” attribute from the Identity’s manager.
{
    "name": "Manager DN",
    "type": "rule",
    "attributes": {
        "name": "Cloud Services Deployment Utility",
        "operation": "getReferenceIdentityAttribute",
        "uid": "manager",
        "attributeName": "adDistinguishedName"
    }
}
  1. Create an IdentityProfile Attribute which is populated with data from the “Manager DN” transform.
  2. Setup Account Create on the Active Directory source to use the IdentityAttribute from step 3 to populate the Manager field.
  3. Turn on Attribute Sync for Manager field