Provisioning Policy

When SailPoint provisions new accounts to the Active Directory source, it uses the attributes on the Create Profile page as instructions or a template for what to include in the account. Each source can have its own configuration that specifies which attributes to include in account creation and how to set their values. SailPoint pre-defines this for most source types, but you can edit the way the attributes are mapped.

When new access is granted on a source where a user does not already have an account, Identity Security Cloud automatically includes account creation in the provisioning. This applies whether provisioning started from an access request or from automated role or lifecycle state assignment.

For direct-connect sources, Identity Security Cloud automatically creates the account from this configuration. If the source is not configured as a direct-connect source, Identity Security Cloud creates and assigns a provisioning task to the source owner and includes the values for the source owner to use in manually creating the account.

Warning
This section describes the configuration of the default Create Profile. However, SailPoint recommends that you work with Services to define a Create Profile specific to your company's needs. Be sure to verify large changes to the provisioning policy before implementation. Failure to do so may result in your provisioning to fail.

Note the following when provisioning the Active Directory source:

  • You can specify the attributes for other operations, such as account updates, through the provisioning policy APIs.

  • The Active Directory source has a skipDeletedObjScopeCheckInDelta attribute that you can set to configure the binding of deleted and recycled objects in Active Directory and process them in Identity Security Cloud accordingly.

  • Active Directory does not show the InvalidCastException attribute in logs when provisioning a Lync account.

  • Active Directory updates the msExchHideFromAddressLists attribute value in 'modify' provisioning operation.

  • Active Directory returns the attribute level results by setting the setAttributeLevelResult attribute to "true". Any attribute provisioning failures do not result in the failure of subsequent attributes with same error, when setAttributeLevelResult is set to "true".

    Note
    The value must be inside quotation marks as it is being passed as a string and not a boolean value.

  • Active Directory clears the description attribute when provisioned with an empty string.

  • For more information on provisioning attributes, refer to the Default Provisioning Attributes Reference.

  • Refer to the following Identity Security Cloud best practice documents for guidance on these common account-creation requirements.

  • For more information on Identity Security Cloud provisioning, refer to Provisioning Overview.