Configuring Source Provisioning Policies
Provisioning policies calculate the values of source attributes during provisioning. IdentityNow includes default, pre-configured provisioning policies for supported sources. When a new account is provisioned on a source, IdentityNow uses the provisioning policy to determine the values for source attributes.
You can edit the way attributes are mapped in a provisioning policy on the Create Profile page for a source. For example, you can map the displayName attribute on the source to the Display Name identity attribute in IdentityNow.
See the IdentityNow list of supported sources for links to source-specific documentation, including detailed information on default source attributes. If you need attributes not in the provisioning policy, contact SailPoint Services for additional guidance.
- Foundation data is in place.
- Accounts have been aggregated from a supported source.
- You have IdentityNow org-level admin permissions.
- You have read the following IdentityNow best practice documents:
Updating a Source's Provisioning Policy
Each IdentityNow source is configured with a set of default attributes in its Create Profile page. Your company's implementation team has likely worked with SailPoint Services to customize the contents of the provisioning policy on this page. You can update provisioning policy attribute mappings and order on the Create Profile page.
The Create Profile page provides an interface for mapping specific attributes to a source.
To edit attribute mappings in an existing provisioning policy:
In the Admin interface, go to Connections > Sources and select the source to update.
For each source attribute listed in the Create Profile panel, select one of the following mapping types and map the related attributes accordingly:
Identity Attribute - Select an existing identity attribute to map to the new source account. For example, if you want to map a work email address already defined for an identity to the new source account, you select the Identity Attribute radio button, and from the Attribute drop-down menu, select the Work Email attribute.
Generator - Select the name of a generator to compile the value for an identity attribute that can be used for provisioning an account on a source. For example, you may have an attribute that requires a unique user name. In this example, you select the Generator radio button and select the Create Unique Account ID generator. You might also need to edit the Pattern Used field to ensure that the components of the account ID accurately reflect the needs of the source account.
To add additional generators to this list, contact SailPoint Services.
Static - Enter either a static text value or an Apache Velocity script template. See IdentityNow Transforms - Static for more information. For example, you might have an attribute that requires your company name. In this example, change the Company attribute's mapping type from Disabled to Static and set the static value to Acme Corp.
Disable - Select this option to prevent IdentityNow from adding this attribute as part of the new account.
Click Save when you've finished mapping your source attributes.
The Create Profile panel lists account attributes in the order IdentityNow creates them on the source. If one attribute uses data from another attribute while generating a value, the order of those attributes might need to be modified in your Create Profile.
For example, your organization might calculate a user’s email based on their display name. When provisioning a new account on a source, you can place the email attribute lower in the list than displayName, so that the displayName is generated by the time it’s needed.
To change the order attributes are provisioned in the provisioning plan:
Choose the attribute to move.
Click Save to reorder the attributes and save your updates.
To include the display name in the provisioned email address:
Choose Static Value for the email attribute and use a static transformto include the display name.
Click Save to to apply your updates.