There are 4 options for AD provisioning
- Request an entitlement in either application,
- Request a role containing entitlements in the target application(s),
- Request an account in the application(s),
- Set up roles to be automatically assigned, then run refresh with the options to refresh entitlements, detected and assigned roles and to provision assignments.
Item 1-3 is manual. For item 4 [Automatic] you have to think of SailPoint from an RBAC perspective. A user will have an account created in AD because the user has been assigned a Role that requires an AD resource. So we will create a Role and assign to all users based on a condition.
- Make sure IQService is installed
- Configure the AD application to aggregate from users and groups from AD
- Sync in the Domain Users group from AD
- Create an IT Role and add the Domain Users as entitlement
- Create a Business Role and add the IT Role as a required role. For the Assigment Rule of the Role, you add if Lastname is present (return identity.getLastname();)
- Go to the AD application, configuration, provisioning policy. Create a create policy in the AD, there is a default policy that comes with it, amend it to fit your needs. Make sure samaccountname, DN, lastname, displayname, Objecttype is there. Go through all the fields and uncheck Required review.
- Create a refresh identity cube task. Make sure the following is checked
- Refresh assigned Roles
- Provision assignments
- Run the task