Configuring Source Account Provisioning

When new access is granted on a source where a user does not already have an account, IdentityNow automatically includes account creation in the provisioning. This applies whether provisioning started from an access request or from automated role or lifecycle state assignment.

Each source can have its own configuration that specifies which attributes to include in account creation and how to set their values. IdentityNow pre-defines this for most source types, but you can edit the way the attributes are mapped.

Note

Refer to the IdentityNow list of supported sources for links to source-specific documentation, including information on the default account attributes.

For direct-connect sources, IdentityNow automatically creates the account from this configuration. If the source is not configured as a direct-connect source, IdentityNow creates and assigns a provisioning task to the source owner and includes the values for the source owner to use in manually creating the account.

Note

You can specify the attributes for other operations, such as account updates, through the provisioning policy APIs.

Updating the Account Creation Configuration

You can update the attribute mappings or attribute order in each source’s account creation configuration. You must use the provisioning policy APIs to add other account attributes.

Mapping Attributes

Mappings define how account attribute values are set in provisioning.

1. Go to Admin > Connections > Sources and select the source you want to update.

2. In the Accounts tab, select Create Account from the left panel.

   

3. For each source attribute, select one of the following mapping types, and map the related attributes accordingly:

   • Identity Attribute — Use an identity attribute’s value to set the account attribute. For example, to use the identity’s work email address to set an account attribute value, select Identity Attribute and then choose Work Email from the Attribute list.

     Caution

     The built-in Manager identity attribute can be used to set an account attribute in the Create Account definition. However, it can't be used in attribute sync. If you need to sync users' manager names to their source accounts, define a custom identity attribute (for example, managerToSync) and configure its mapping to populate it with the user's manager name. Then use that attribute in both your Create Account definition and Attribute Sync configuration.

   • Generator — Generators compute a value for the account attribute, usually based on a pattern you specify. Select the name of a generator that will create the value for the source attribute during provisioning. For example, the Create Unique Account ID generator produces an account ID for each account based on the pattern you enter in the Pattern Used field.

     To add additional generators to this list, your implementation team can create Attribute Generator rules.

     Patterns can use text values and variables. You can use the following variables in the Pattern Used field of generators:

     • Any identity attribute. Use the format $(attributeTechnicalName).
     • A counter that generates a unique number. Use the format $(uniqueCounter).

   • Static — Enter a simple text value or build a value for the attribute using an Apache Velocity script template. For more information on the scripting option, refer to IdentityNow Transforms - Static.

   • Disable — Select this option to omit an attribute when creating a new account. Choose this when IdentityNow’s default definition includes attributes you do not use.

4. Select Save when you've finished mapping the source attributes.

Reordering Attributes

IdentityNow computes the account attributes in the order they are listed. If one attribute relies on data from another attribute to generate its value, the primary attribute must be listed first.

Example

If an account’s email attribute is defined based on its display name, the displayName attribute must come before email in the list so that the displayName is generated by the time it is needed for the email address generation.

To reorder attributes:

1. Go to Admin > Connections > Sources and select the source you want to update.

2. In the Accounts tab, select Create Account from the left panel.

3. Use the up or down arrows next to the attributes to reorder them.

   

4. Select Save.

Best Practices for Account Attribute Definitions

Refer to the following IdentityNow best practice documents for guidance on these common account-creation requirements.

• Generating Usernames in IdentityNow
• Provisioning with Passwords in IdentityNow
• Provisioning Multi-Valued Attributes

If you need additional help with these configurations, contact SailPoint Services.