Symantec IGA

Hi all. I'm currently working on creating user accounts in IDM and having them also created out in AD. I've created a policy xpress policy that will set a user's provisioning role based on their AD domain attribute. Using the out of the box create user admin task, I've verified that the policy is triggered, however, the provisioning role never gets assigned. There are no failures, the matching rules are correct, and the overall task completes successfully. I can assign the role manually with no issue, but my policy cannot do the same. Any help would be appreciated, thanks!

When you manually added the Provisioning role did you do this via the Provisioning manager or the IME?

When you say based on the AD Domain Attribute is this being seen in your PX. Have your POLICY email you the same attributes that it is using to chose a provisioning role so you can verify what is being seen.

Glenda

Manually via the "provisioning roles" tab located under "Modify User".

I had the policy change the phone number of the user when the matched condition occurs as a debug statement. So I know that it's recognizing the attribute and kicking off the "add provisioning role" event.

With the aid of support we were able to find the issue. Mismatching attributes in the CIS was the culprit. Provisioning manager will automatically fail a transaction if there are mismatched/misnamed custom attributes regardless if they are actually in use. Fixing these resolved our issue.