Skip to content

Managing Multi-Host Account Provisioning

When a user is granted access on a source where they don't already have an account, an account is created for them as part of the provisioning process. This applies regardless of how the provisioning action was initiated. When a new account is created on a source, the attributes on that account must be populated with values.

Multi-host account creation enables bulk account creation for all sources within a multi-host group.

Editing the Account Creation Configuration

Most source types have predefined attributes used for account creation, but you can edit the way they are mapped. This will apply to all sources within a multi-host group.

  1. Go to Admin > Connections > Multi-Host Sources and select a multi-host group.

  2. Select Edit to view configuration details about the multi-host group.

  3. From the left navigation, select Account Management > Create Account.

  4. In Account Attribute Mappings, for each source attribute, select a mapping type and set the related attributes:

    • Identity Attribute - Use an identity attribute’s value to set the account attribute. For example, to use the identity’s work email address to set an account attribute value, select Identity Attribute and then choose Work Email from the Attribute list.

      Important

      The built-in Manager identity attribute can be used to set an account attribute in the Create Account definition. However, it cannot be used in attribute sync. If you need to sync users' manager names to their source accounts, define a custom identity attribute (for example, managerToSync) and configure its mapping to populate it with the user's manager name. Then use that attribute in both your Create Account definition and Attribute Sync configuration.

    • Generator - Generators compute a value for the account attribute, usually based on a pattern you specify. Select the name of a generator that will create the value for the source attribute during provisioning. For example, the Create Unique Account ID generator produces an account ID for each account based on the pattern you enter in the Pattern Used field.

      Patterns can use text values and variables. For variables:

      • Reference identity attributes with $(attributeTechnicalName). An attribute's technical name can be found in parentheses next to the attribute in the Mappings tab of the identity profile. For instance, the technical name for the identity attribute Family Name is $(lastname).
      • Optionally, include a counter that generates a unique number with $(uniqueCounter).

      For example, the default pattern for distinguishedName on Active Directory sources is: CN=$(firstname).$(lastname)$(uniqueCounter),OU=YOURCONTAINER, DC=YOURDOMAIN.

      Generator patterns cannot reference other Create Account attributes.

      Note

      While you can select new attributes for any of these fields, SailPoint recommends using the default values in the Generator fields for the generated attributes. To add generators to the list, your implementation team can create Attribute Generator rules.

    • Static - Enter a simple text value or build a value for the attribute using an Apache Velocity script template. Static values use the same Velocity syntax as Static Transforms. These scripts can reference other account attributes defined higher in the Create Account list with $attributeName.

      Static values cannot reference identity attributes.

    • Disable - Select this option to omit the attribute when creating a new account.

  5. You can add mappings for existing attributes or create attributes to use in your create account configuration.

  6. Select Save when you've finished mapping the source attributes.

Adding Existing Attributes

You can add existing account attributes to the multi-host create account configuration so those attributes are assigned values during provisioning actions.

  1. Go to Admin > Connections > Multi-Host Sources and select a multi-host group.

  2. Select Edit to view configuration details about the multi-host group.

  3. From the left navigation, select Account Management > Create Account.

  4. At the bottom of the list of attributes, select Add Mapping.

  5. Select Add Existing Attribute.

  6. Select the attribute to add from the Account Attribute dropdown list.

  7. Select Add.

  8. Update the attribute's provisioning configuration as described in Editing the Account Creation Configuration.

Creating Attributes

You can create attributes in your multi-host account creation configuration so values can be provisioned to attributes that exist on your source but aren't included in your account schema.

  1. Go to Admin > Connections > Multi-Host Sources and select a multi-host group.

  2. Select Edit to view configuration details about the multi-host group.

  3. From the left navigation, select Account Management > Create Account.

  4. At the bottom of the list of attributes, select Add Mapping.

  5. Select Create New Attribute.

  6. In the Attribute Name field, enter the name of the attribute to add as it appears on the source. This field is case-sensitive.

  7. Select Add.

  8. Update the attribute's provisioning configuration as described in Editing the Account Creation Configuration.

Editing the Attribute List

Attribute values are calculated for an account in the order in which they appear on the Create Account page. You can reorder the attributes in this list so they are provisioned correctly, or remove them from the list entirely.

If an attribute relies on data from another attribute to set its value, the attribute used to calculate the second value must be listed first.

  1. Go to Admin > Connections > Multi-Host Sources.

  2. Select Edit to view configuration details about the multi-host group.

  3. From the left navigation, select Account Management > Create Account.

  4. In the list of attributes, use the up or down arrows next to the attributes to reorder them. You can also drag and drop attributes to reorder.

    Use the Delete icon to remove the attribute from the list.

    The attributes list in the Create Account page.

  5. Select Save.

Documentation Feedback

Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.