Default Provisioning Attributes Reference

This page details the default provisioning attributes for your connector.

Note

  • For an account that has been moved or renamed in Active Directory since last aggregation, ensure that the change is aggregated before performing any provisioning operation on the account.

  • The Active Directory source no longer connects to Read Only Domain Controllers (RODC) for provisioning operations using serverless binding.

The following generators create required information for a new Active Directory account. You may need to edit the contents.

Account Attribute

Mapping Type

Description

ObjectType

Static

The type of account to be created. The default is User.

  • For users, the object type must be User.

  • For contacts, the object type must be Contact.

  • For group managed service accounts, the object type must be msDS-GroupManagedServiceAccount.

  • For managed service accounts, the object type must be msDS-ManagedServiceAccount.

distinguishedName

Generator

The default Generator is Create Unique Account ID.

This generator uses the value in the Pattern Used field to generate a unique DN for the new account.

Note
You must change the OU in the Pattern Used field in the distinguishedName attribute

sAMAccountName

Generator

The default Generator is Create Unique LDAP Attribute.

This generator uses the value in the Pattern Used field to generate the sAMAccountName for the Active Directory account.

displayName

Identity Attribute

Display name of the new account.

The default Attribute is Display Name (displayName).

manager

Generator

Manager for the new account.

The default Generator is Get Manager LDAP DN.

mail

Identity Attribute

Email address of the new account.

The default Attribute is Work Email (email)

password

Generator

The default Generator is Create Password.

This generator creates an initial password for the new account that matches the password policy assigned to the associated Active Directory source in IdentityNow.

givenName

Identity Attribute

First name associated with the account.

The default Attribute is First Name (firstname).

sn

Identity Attribute

Last name associated with the account.

The default Attribute is Last Name (lastname).

pwdLastSet

Static

This attribute can only be set as true or false.

  • When set to true, the pwdLastSet attribute value is set to 0 and it selects the User must change password on logon checkbox for the Active Directory user object's account in ADUC.

  • When set to false, the pwdLastSet attribute value is set to -1 and sets this attribute to the current time, and it deselects the User must change password on logon checkbox.

The default Static Value is false.

Disabled

Static

This attribute can only be set as true or false.

Set to true to create a disabled user.

The default Static Value is false.

primaryGroupDN

Static

Default group of the new account.

description

Static

Description of the new account.

telephoneNumber

Identity Attribute

Telephone number of the new account.

The default Attribute is Alternate Phone Number (phone).

Attribute

Description

AC_NewName

A string attribute to rename the user. For example, CN=abc

AC_NewParent

A string attribute to move the user to new OU. For example, OU=xyz,DC=pqr,DC=com

The AC_NewName and AC_NewParent are special attributes to handle the move and rename operations and can be sent in Attributes Map and AccountRequest instead of AttributeRequest.

For example:

Copy 
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE ProvisioningPlan PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<ProvisioningPlan>
   <AccountRequest application="AD App" nativeIdentity="CN=SampleUser,CN=Users,DC=Example,DC=Com" op="Disable">
    <Attributes>
     <Map>
         <entry key="AC_NewParent" value="OU=DsiabledUsers,DC=Example,DC=Com"/>
     </Map>
    </Attributes>
   </AccountRequest>
</ProvisioningPlan>

Note the following when working with mailbox attributes:

  • If you send an email address in the mail attribute, the exchange may not use it, if the E-mail Policy in the exchange is set to create it differently. The email address is not taken and sent back to Active Directory after it is created, based on the policy.

  • For the Active Directory source, the mailNickname, homeMBD, and msExchHideFromAddressLists attributes are case insensitive when processed by the IQService.

  • The Active Directory source sets the MS-Exchange attributes - homeMDB and mailNickname as AD attributes, if MS-Exchange is not enabled.

The following are additional attributes required to create a mailbox:

Attribute

 Mapping Type

Description

homeMDB

Disable

The exchange mailbox store domain name required to create a mailbox. For example: SomeExchangeDB. The homeMDB attribute is in the format of SomeExchangeDB', not 'CN=SomeExchangeDB.

mailNickname

Disable

The exchange alias that you can use to update or disable the mailbox.

For example: firstname.lastname

msExchHideFromAddressList

Disable

The attribute to hide from the Exchange address lists.

externalEmailAddress

Disable

The external email address, required for mail contact creation.

Updating Exchange Mailbox Attributes

The Active Directory connector supports updating any Exchange mailbox attributes supported by set-mailbox cmdlet, using the following methods:

  1. Add the attribute in the provisioning policy with Exch_ as a prefix. For example, to set the HiddenFromAddressListsEnabled exchange attribute, add the attribute name as Exch_HiddenFromAddressListsEnabled in the provisioning policy.

  2. Provide a comma separated list of exchange attributes for exchangeAttributes. For example, for the HiddenFromAddressListsEnabled provisioning policy attribute, use the IdentityNow REST API. Set up the exchangeAttributes attribute with a value such as HiddenFromAddressListsEnabled.

    Note
    For more information on IdentityNow APIs, refer to Best Practices: IdentityNow REST API Authentication and IdentityNow REST API - Update Source (Partial) in the SailPoint Developer Community.

The msRTCSIP-UserEnabled attribute must be updated as part of the Create Profile section.

By default, provisioning of the following attributes is supported:

Attribute

Description

SipAddress

This attribute contains the SIP address of a given user.

SipDomain

This attribute contains the SIP domain of a given user.

SipAddressType

This attribute contains the SIP address type of a given user. Skype for Business Server generates a SIP address for the new user when SipAddressType is provided in combination with SipDomain.

Registrar Pool

This attribute contains the Registrar pool of a given user.

msRTCSIP-UserEnabled

This attribute indicates whether the user is currently enabled for Microsoft Lync\Skype for Business Server.

For the provisioning of the following gMSA attributes, you must add them manually for the existing sources. By default, they are available for new sources.

Account Attribute

Mapping Type

 Description

dNSHostName

Disable

The DNS host name of the service account. This attribute is mandatory for gMSA provisioning.

msDS-SupportedEncryptionTypes

Disable

The supported encryption types for the service account. This is a multi-valued attribute.

msDS-ManagedPasswordInterval

Disable

The number of the days for the password change interval.

msDS-GroupMSAMembership

Disable

The principals that are allowed to retrieve Managed Password of this Group-Managed

Service Account. This is a multi-valued attribute.

msDS-AllowedToActOnBehalfOf

OtherIdentity

Disable

The accounts that can act on the behalf of this Group Managed Service Account. This is a multi-valued attribute.

servicePrincipalName

Disable

The service principal names for the service account. This is a multi-valued attribute.

Add the displayAttributeForContacts attribute as additional parameter for Contacts. CN is used as the default value for display name of Contact objects. The Display attribute can be set using the connector_displayAttributeForContact config attribute.

For example, to set it to firstName use the IdentityNow REST API and set value of connector_displayAttributeForContact to firstName.

Note
For more information on IdentityNow APIs, refer to Best Practices: IdentityNow REST API Authentication and IdentityNow REST API - Update Source (Partial) in the SailPoint Developer Community.

The following String-type attribute required for creating Linked Mailbox, is available by default, for the new sources. For existing sources, add manually in the Create Profile section.

Account Attribute

 Mapping Type

Description

shadowAccountDN

Disable

Distinguished Name of the Linked Mailbox Shadow Account to be created. It is required for creating new Linked Mailbox.

accountExpires Attribute

For the Active Directory source, the accountExpires attribute must be defined as a string. The value of the accountExpires attribute can be set in the Microsoft defined timestamp that represents the number of 100-nanosecond intervals since January 1, 1601 (UTC).

The value can also be entered in a human readable format: MM/DD/YYYY HH:MM:SS AM TimeZone. For example, 05/11/2019 12:00:00 AM IST. A value of 0, never, or 9223372036854775807 indicates that the account never expires.

The value of the accountExpires attribute is displayed in the MM/DD/YYYY hh:mm:ss aa Z format. For example, if previously the time of account expiry was displayed as 5/14/2019 12:0:0 AM IST, it will now be displayed as 05/14/2019 12:00:00 AM IST.

'Never' as a Value of accountExpires Attribute

The Active Directory source supports never as a value of the accountExpires attribute in provisioning, when the timeZone attribute is present in the source configuration.

Note
SailPoint recommends that the accountExpires attribute must be defined as a string. However, the Active Directory source accepts an integer value for the accountExpires attribute in account provisioning if it is not a string.

timeZone Attribute

The Active directory source supports the timeZone attribute.

The timeZone attribute defines a time zone that you want to provision accounts in or change in the default setting of the accountExpires attribute and display.

The timeZone attribute accepts values in the string format.

Valid values are:

  • epoch - use if you want to provision and see the accountExpires attribute in Active Directory epoch format.

  • Continent/City - this format is similar to standard format that Java supports. For example, if you want to provision accounts and see the accountExpires attribute in Indian Standard Time then timeZone must be set as Asia/Kolkata.

Rollback of Created Account

The Active Directory source supports rollback of created account in case provisioning of one or more requested attributes fails during the provisioning operation. Set the rollbackCreatedAccountOnError attribute to True.