Resource Forest Specific Domain Configuration Attributes

By default, the connector considers the memberships of Shadow Account as Master Accounts memberships.

To discard membership of shadow account, set this Boolean (or as a String) attribute to true under domainSettings of respective Resource Forest domain, by using Identity Security Cloud REST API. Update the value of disableShadowAccountMembership that is present under connector_domainSettings(map) of the Resource Forest domain. For example,

<entry key=" disableShadowAccountMembership" value=""true/>

Note
For more information on SailPoint's REST APIs, refer to Best Practices: REST API Authentication and REST API - Update Source (Partial) in the SailPoint Developer Community.

By default, the connector retrieves all memberships of Shadow Account, but these memberships can be filtered based on a LDAP filter.

Update the value of shadowAccountMembershipFilter that is present under connector_domainSettings(map) of the Resource Forest domain using the Identity Security Cloud REST API. For example, if only distribution group of Shadow Account is considered , you can use the shadowAccountMembershipFilter attribute with the value such as,(!groupType:1.2.840.113556.1.4.803:=2147483648))

Note
For more information on SailPoint's REST APIs, refer to Best Practices: REST API Authentication and REST API - Update Source (Partial) in the SailPoint Developer Community.

By default, the connector supports assigning of only Universal and Global Distribution List from Resource Forest Domain to the Shadow Account. To override this and to support all other types of group provisioning to the Shadow Account, pass this attribute in the metadata of the AttributeRequest for memberOf attribute as given in the following example:

<AttributeRequest op="Add" name="memberOf" value=<group-nativeIdentity>>
    <Attributes>
      <Map>
        <entry key="provisionGroupToShadowAccount" value="true" />
      </Map>
    </Attributes>
</AttributeRequest>