Updating the email address on an authoritative source

I am trying to understand the convention behind updating the email address on an authoritative source.

All new employee records that originate in the authoritative source will not have an email address initially, SailPoint IDN will be creating accounts and mailboxes as required and therefore the value won’t be available until onboarding.

I understand that that the email address must not be empty, or the identity created for each record on the source will be invalid.

However, you can’t sync (or update) an identity attribute with a transform attached to it. I am aware of patterns such as Active Directory: Attribute Sync for the Manager Attribute but this is not the same. I need to update the attribute that must have a transform attached to it.

I would be grateful for any insight into how this performed in IDN.


So I’ll lay out a common scenario. Let’s say you have your HR source and you generate the email address when provisioning to Active Directory.

What you would configure is a first valid transform for the email, that looks at the value from the Active Directory account. If that does not have a value, you can generate a temporary email address such as [employeeid]@organization.com. Then when creating the Active Directory account you generate the actual email address and check for uniqueness etc. After this occurs the identity attribute will get updated with the new valid email and get written back to the HR source via attribute sync.

I appreciate the response.

I just created a test directory source also a non default attribute set to an identity attribute that uses a transform, and I am able to enable sync.

It appears my understanding was invalid, you can sync an identity attribute that is set with a transform?

Thank you very much!

1 Like

You can sync any identity attribute irrespective of how the attribute value is populated.

1 Like