Product
Identity IQ 6.3p1 and later
Question
How can the nativeIdentity for a new account be set when using a role? The provisioning policy cannot do this.
Answer
The nativeIdentity attribute cannot be set using the role's provisioning policy. For example, for an Active Directory application, the distinguishedName attribute cannot be set by the role's provisioning policy since the distinguishedName is the nativeIdentity attribute. ETN 21488 addresses this issue and the ETN's change has been added to 6.3p1. As of 6.3p1, the "Account Selector" rule of the respective role can be used to set the nativeIdentity value. When a new Link object is returned from the Account Selector rule, that Link object's nativeIdentity will be used to set the value accordingly. Here is an example Account Selector rule:
import sailpoint.object.Link;
Link myNewLink = new Link();
myNewLink.nativeIdentity = "CN=someprefix" + identity.getName() + ",OU=some_ou,DC=company,DC=com";
return myNewLink;
