Configuring Source Account Provisioning

When new access is granted on a source where a user does not already have an account, IdentityNow automatically includes account creation in the provisioning. This applies whether provisioning started from an access request or from automated role or lifecycle state assignment.

Each source can have its own configuration that specifies which attributes to include in account creation and how to set their values. For direct connect sources, IdentityNow automatically creates the account from this configuration. For flat file sources, IdentityNow creates and assigns a provisioning task to the source owner and includes the values for the source owner to use in manually creating the account.

Note

Accounts that have been created by IdentityNow have the account attribute manuallyCorrelated=true. If you need to uncorrelate the account, you must remove the account or change the flag. Unoptomized aggregation does not remove correlation.

Editing the Account Creation Configuration

IdentityNow predefines the account creation attributes for most source types, but you can edit the way they are mapped. Refer to the IdentityNow connector documentation for source-specific details and information on default account attributes.

1. Go to Admin > Connections > Sources and select the source you want to update.

2. In the Accounts tab, select Create Account from the left panel.

3. For each source attribute, select a mapping type and set the related attributes:

   • Identity Attribute - Use an identity attribute’s value to set the account attribute. For example, to use the identity’s work email address to set an account attribute value, select Identity Attribute and then choose Work Email from the Attribute list.

     Important

     The built-in Manager identity attribute can be used to set an account attribute in the Create Account definition. However, it cannot be used in attribute sync. If you need to sync users' manager names to their source accounts, define a custom identity attribute (for example, managerToSync) and configure its mapping to populate it with the user's manager name. Then use that attribute in both your Create Account definition and Attribute Sync configuration.

   • Generator - Generators compute a value for the account attribute, usually based on a pattern you specify. Select the name of a generator that will create the value for the source attribute during provisioning. For example, the Create Unique Account ID generator produces an account ID for each account based on the pattern you enter in the Pattern Used field.

     Patterns can use text values and variables. For variables:

     • Reference identity attributes with $(attributeTechnicalName).
     • Include a counter that generates a unique number with $(uniqueCounter).

     Generator patterns cannot reference other Create Account attributes.

     Note

     While you can select new attributes for any of these fields, SailPoint recommends using the default values in the Generator fields for the generated attributes. To add generators to the list, your implementation team can create Attribute Generator rules.

   • Static - Enter a simple text value or build a value for the attribute using an Apache Velocity script template. Static values use the same Velocity syntax as IdentityNow Static Transforms. These scripts can reference other account attributes defined higher in the Create Account list with $attributeName.

     Static values cannot reference identity attributes.

   • Disable - Select this option to omit the attribute when creating a new account. Choose this when IdentityNow’s default definition includes attributes you do not use.

4. Select Save when you've finished mapping the source attributes.

API Configurations

• To change the set of account attributes listed in the definition, you must use the update provisioning policy API.
• You can also use the create provisioning policy API to specify attributes for other operations, such as account updates.
• Use the API to create or modify these definitions when you need to set attribute values through transforms for more complex calculation logic.

Reordering Attributes

IdentityNow computes the account attributes in the order they are listed. If an attribute relies on data from another attribute to set its value, the primary attribute must be listed first.

Example

If an account’s email attribute is defined based on its name, the name attribute must come before email in the list to make the name available for building the email address.

To reorder attributes:

1. Go to Admin > Connections > Sources and select the source you want to update.

2. In the Accounts tab, select Create Account from the left panel.

3. Use the up or down arrows next to the attributes to reorder them.

   

4. Select Save.

Best Practices for Account Attribute Definitions

Refer to the following IdentityNow best practice documents for guidance on these common account-creation requirements.

• Generating Usernames in IdentityNow
• Provisioning with Passwords in IdentityNow
• Provisioning Multi-Valued Attributes

If you need additional help with these configurations, contact SailPoint Services.