This page details the default provisioning attributes for your connector.
Note
-
For an account that has been moved or renamed in Active Directory since last aggregation, ensure that the change is aggregated before performing any provisioning operation on the account.
-
The Active Directory source no longer connects to Read Only Domain Controllers (RODC) for provisioning operations using serverless binding.
The following generators create required information for a new Active Directory account. You may need to edit the contents.
| Account Attribute | Mapping Type | Description |
| ObjectType | Static | The type of account to be created. The default is User.
|
| distinguishedName | Generator | The default Generator is Create Unique Account ID. This generator uses the value in the Pattern Used field to generate a unique DN for the new account. Note |
| sAMAccountName | Generator | The default Generator is Create Unique LDAP Attribute. This generator uses the value in the Pattern Used field to generate the sAMAccountName for the Active Directory account. |
| displayName | Identity Attribute | Display name of the new account. The default Attribute is Display Name (displayName). |
| manager | Generator | Manager for the new account. The default Generator is Get Manager LDAP DN. |
| | Identity Attribute | Email address of the new account. The default Attribute is Work Email (email) |
| password | Generator | The default Generator is Create Password. This generator creates an initial password for the new account that matches the password policy assigned to the associated Active Directory source in Identity Security Cloud. |
| givenName | Identity Attribute | First name associated with the account. The default Attribute is First Name (firstname). |
| sn | Identity Attribute | Last name associated with the account. The default Attribute is Last Name (lastname). |
| pwdLastSet | Static | This attribute can only be set as
The default Static Value is false. |
| Disabled | Static | This attribute can only be set as Set to The default Static Value is false. |
| primaryGroupDN | Static | Default group of the new account. |
| description | Static | Description of the new account. |
| telephoneNumber | Identity Attribute | Telephone number of the new account. The default Attribute is Alternate Phone Number (phone). |
| userPrincipalName | Disabled | The unique name of the entity within the domain, in the format "name@domain". |
| title | Disabled | The title associated with the entity. |
| department | Disabled | User's department. |
| employeeID | Disabled | Numerically identifies an employee within an organization. |
| company | Disabled | Company name of an employee. |
Special Provisioning Attributes for Move/Rename Request
| Attribute | Description |
|---|---|
| AC_NewName | A string attribute to rename the user. For example, CN=abc |
| AC_NewParent | A string attribute to move the user to new OU. For example, OU=xyz,DC=pqr,DC=com |
The AC_NewName and AC_NewParent are special attributes to handle the move and rename operations and can be sent in Attributes Map and AccountRequest instead of AttributeRequest.
For example:
Copy
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE ProvisioningPlan PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<ProvisioningPlan>
<AccountRequest application="AD App" nativeIdentity="CN=SampleUser,CN=Users,DC=Example,DC=Com" op="Disable">
<Attributes>
<Map>
<entry key="AC_NewParent" value="OU=DsiabledUsers,DC=Example,DC=Com"/>
</Map>
</Attributes>
</AccountRequest>
</ProvisioningPlan>Exchange Mailbox Attributes
Note the following when working with mailbox attributes:
-
If you send an email address in the mail attribute, the exchange may not use it, if the E-mail Policy in the exchange is set to create it differently. The email address is not taken and sent back to Active Directory after it is created, based on the policy.
-
For the Active Directory source, the
mailNickname,homeMBD, andmsExchHideFromAddressListsattributes are case insensitive when processed by the IQService. -
The Active Directory source sets the MS-Exchange attributes -
homeMDBandmailNicknameas AD attributes, if MS-Exchange is not enabled.
The following are additional attributes required to create a mailbox:
| Attribute | Mapping Type | Description |
|---|---|---|
| homeMDB | Disable | The exchange mailbox store domain name required to create a mailbox. For example: |
| mailNickname | Disable | The exchange alias that you can use to update or disable the mailbox. For example: |
| msExchHideFromAddressList | Disable | The attribute to hide from the Exchange address lists. |
| externalEmailAddress | Disable | The external email address, required for mail contact creation. |
Updating Exchange Mailbox Attributes
The Active Directory connector supports updating any Exchange mailbox attributes supported by set-mailbox cmdlet, using the following methods:
-
Add the attribute in the provisioning policy with
Exch_as a prefix. For example, to set theHiddenFromAddressListsEnabledexchange attribute, add the attribute name asExch_HiddenFromAddressListsEnabledin the provisioning policy. -
Provide a comma separated list of exchange attributes for
exchangeAttributes. For example, for theHiddenFromAddressListsEnabledprovisioning policy attribute, use the Identity Security Cloud REST API. Set up theexchangeAttributesattribute with a value such asHiddenFromAddressListsEnabled.Note
For more information on SailPoint's REST APIs, refer to Best Practices: REST API Authentication and REST API - Update Source (Partial) in the SailPoint Developer Community.
Attributes for Skype for Business
The msRTCSIP-UserEnabled attribute must be updated as part of the Create Profile section.
By default, provisioning of the following attributes is supported:
| Attribute | Description |
| SipAddress | This attribute contains the SIP address of a given user. |
| SipDomain | This attribute contains the SIP domain of a given user. |
| SipAddressType | This attribute contains the SIP address type of a given user. Skype for Business Server generates a SIP address for the new user when SipAddressType is provided in combination with SipDomain. |
| Registrar Pool | This attribute contains the Registrar pool of a given user. |
| msRTCSIP-UserEnabled | This attribute indicates whether the user is currently enabled for Microsoft Lync\Skype for Business Server. |
Schema and Provisioning Attributes of Group Managed Service Accounts (gMSA) Object
For the provisioning of the following gMSA attributes, you must add them manually for the existing sources. By default, they are available for new sources.
| Account Attribute | Mapping Type | Description |
|---|---|---|
| dNSHostName | Disable | The DNS host name of the service account. This attribute is mandatory for gMSA provisioning. |
| msDS-SupportedEncryptionTypes | Disable | The supported encryption types for the service account. This is a multi-valued attribute. |
| msDS-ManagedPasswordInterval | Disable | The number of the days for the password change interval. |
| msDS-GroupMSAMembership | Disable | The principals that are allowed to retrieve Managed Password of this Group-Managed Service Account. This is a multi-valued attribute. |
| msDS-AllowedToActOnBehalfOf OtherIdentity | Disable | The accounts that can act on the behalf of this Group Managed Service Account. This is a multi-valued attribute. |
| servicePrincipalName | Disable | The service principal names for the service account. This is a multi-valued attribute. |
Provisioning Attributes for Contacts
Add the displayAttributeForContacts attribute as additional parameter for Contacts. CN is used as the default value for display name of Contact objects. The Display attribute can be set using the connector_displayAttributeForContact config attribute.
For example, to set it to firstName use the Identity Security Cloud REST API and set value of connector_displayAttributeForContact to firstName.
Note
For more information on SailPoint's REST APIs, refer to Best Practices: REST API Authentication and REST API - Update Source (Partial) in the SailPoint Developer Community.
Provisioning Attribute for Resource Forest Topology Exchange Management
The following String-type attribute required for creating Linked Mailbox, is available by default, for the new sources. For existing sources, add manually in the Create Profile section.
| Account Attribute | Mapping Type | Description |
|---|---|---|
| shadowAccountDN | Disable | Distinguished Name of the Linked Mailbox Shadow Account to be created. It is required for creating new Linked Mailbox. |
Individual Attribute Notes
accountExpires Attribute
For the Active Directory source, the accountExpires attribute must be defined as a string. The value of the accountExpires attribute can be set in the Microsoft defined timestamp that represents the number of 100-nanosecond intervals since January 1, 1601 (UTC).
The value can also be entered in a human readable format: MM/DD/YYYY HH:MM:SS AM TimeZone. For example, 05/11/2019 12:00:00 AM IST. A value of 0, never, or 9223372036854775807 indicates that the account never expires.
The value of the accountExpires attribute is displayed in the MM/DD/YYYY hh:mm:ss aa Z format. For example, if previously the time of account expiry was displayed as 5/14/2019 12:0:0 AM IST, it will now be displayed as 05/14/2019 12:00:00 AM IST.
'Never' as a Value of accountExpires Attribute
The Active Directory source supports never as a value of the accountExpires attribute in provisioning, when the timeZone attribute is present in the source configuration.
Note
SailPoint recommends that the accountExpires attribute must be defined as a string. However, the Active Directory source accepts an integer value for the accountExpires attribute in account provisioning if it is not a string.
timeZone Attribute
The Active directory source supports the timeZone attribute.
The timeZone attribute defines a time zone that you want to provision accounts in or change in the default setting of the accountExpires attribute and display.
The timeZone attribute accepts values in the string format.
Valid values are:
-
epoch - use if you want to provision and see the
accountExpiresattribute in Active Directory epoch format. -
Continent/City - this format is similar to standard format that Java supports. For example, if you want to provision accounts and see the
accountExpiresattribute in Indian Standard Time thentimeZonemust be set asAsia/Kolkata.
Rollback of Created Account
The Active Directory source supports rollback of created account in case provisioning of one or more requested attributes fails during the provisioning operation. Set the rollbackCreatedAccountOnError attribute to True.
Feedback is provided as an informational resource only and does not form part of SailPoint's official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.
© SailPoint Technologies, Inc. All Rights Reserved.
