Create Profile for Provisioning
When Identity Security Cloud provisions new accounts to a Solaris source, it uses the attributes on the Create Profile page as instructions or a template for what to include in the account. This page is also referred to as the provisioning policy.
Important
This page describes the configuration of the default Create Profile. However, SailPoint recommends that you work with Services to define a Create Profile specific to your company's needs.
| Account Attributes | Generator | Description |
| username | Create Unique Account ID | This generator uses the value in the Pattern Used field to generate a unique user name for the new account. |
| password | Create Password | This generator creates an initial password for the new account that matches the password policy assigned to the associated Solaris source in Identity Security Cloud. |
| uid | Disable | The numeric identity of a user. |
| dupuid | Static | The duplicate identity of a user. |
| primgrp | Disable | An existing group integer ID or character-string name. Without the -D option, it defines the new user primary The group membership which also indicates the default group. You can reset this default value by invoking useradd -D -g group. GIDs 0-99 are reserved for allocation by the Solaris operating system. |
| home | Disable | The home directory of a user. |
| shell | Disable | The default shell of a user. |
| create_home_dir | static | The creation of the home directory of a user. |
| expire | Disable |
Specifies the expiration date for a login. After this date, no user is able to access this login. The expire option argument is a date entered using one of the date formats included in the template /etc/datemsk file. If the date format that you choose includes spaces, the space must be quoted (" ").
|
| inactive | Disable | The maximum number of days allowed between uses of a login ID before that ID is declared invalid. Normal values are positive integers. A value of 0 defeats the status. |
| look_after_retries | Disable | Specifies whether an account is locked after a number of failed logins as defined by RETRIES in /etc/default/login. Possible values are yes or no. The default is no. Account locking is only applicable to local accounts and accounts in the LDAP name service repository, if configured with an enableShadowUpdate of true as specified in ldapclient(1M). |
| profile | Disable | An ordered, comma-separated list of profile names selected from prof_attr. Profiles are enforced by the profile shells pfcsh, pfksh, and pfsh. If no profiles are assigned, the profile shells do not allow the user to execute any commands. |
| auths | Disable | One or more comma separated authorizations defined in auth_attr. Only a user or role that has grant rights to the authorization can assign it to an account. |
| pwdwarn | Disable | The number of days, relative to max, before the password expires and the system issues a password expiration warning. |
| pwdminage | Disable | The minimum number of days required between password changes for the user. MINWEEKS is found in /etc/default/passwd and is set to NULL. |
| pwdmaxage | Disable | The maximum number of days the password is valid for the user. MAXWEEKS is found in /etc/default/passwd and is set to NULL. |
| forcepwdchange | Static | Use this attribute to force the user to change their password on next logon. |
| project | Disable | The name of the project that the added user is associated. |
| comment | Disable | Any text string. It is generally a short description of the login, and is currently used as the field for the user's full name. This information is stored in the user's /etc/passwd entry. |