We have built a Reconciliation script which reconciles data from our HR EDL system into ISIM and Active Directory.
I want to add in a functionality, there is this attribute we have called company on AD. This attribute exists for some users and doesn't for some. But all users have this on the HR EDL system.
I want to add this attribute to those users who do not have it on AD with the value from EDL (along with any other data changes they have) but at the same time skip updating this attribute for all those users who have it on AD (but also reconcile all other changes).

Need help to figure out this scenario.

------------------------------
Sriram Kandukuri
------------------------------

The basic idea of ISIM/ISVG/IVIG is that there is a separation of Identities (Persons) and Accounts. The relationship is governed by the ownership and Account attribute values by Provisioning Policies through Organizational Roles..

In your case you will have to first ensuring that all users that have a Person Company attribute are member of a role - this is normally in this case all users coming the your HR EDL i.e. member of that Person class you have for that - but you can also use a Dynamic Role with a filter like "(&(erpersonstatus=0)(company=*)" assuming you only want to have this mapping enforced for active users and the attribute for company is called company.

The provisioning Policy should have the Role for your scope as the role. Then you create an entitlement for the AD Service (should be manual unless you want to create the accounts as a result of the policy) and then you add a mapping for the AD Company attribute coming from the Person Company attribute - this can be done using JavaScript and the Person attributes are referenced using the "subject.getPropertyAsString(<attribute>)" function. The mapping should be a mandatory mapping.

If your service is set to "mark" as policy enforcement all accounts not following the policy will be marked "non-compliant". You should start here to get an understanding of how this works. When you are sure all policies are correct and the account changes needed are inline with your expectations you can set the service to "correct non-compliance" and the policies will be enforced automatically i.e. when reconciled or person changes happens...

But be careful - provisioning policies are very powerful - but if you do not understand how they work you can really hurt your self - ISIM can easily delete a couple of thousands accounts in minutes if you make them disallowed - so my recommendation is to keep the service in "mark" until you know how this works (and please read the formal documentation and eventually get help from e.g. IBM Expert Labs to get this done right)

HTH 

------------------------------
Franz Wolfhagen
WW IAM Solution Architect - Certified Consulting IT Specialist
IBM Expert Labs
------------------------------

Original Message:
Sent: Fri June 13, 2025 04:47 PM
From: Sriram Kandukuri
Subject: override modifying of an attribute

We have built a Reconciliation script which reconciles data from our HR EDL system into ISIM and Active Directory.
I want to add in a functionality, there is this attribute we have called company on AD. This attribute exists for some users and doesn't for some. But all users have this on the HR EDL system.
I want to add this attribute to those users who do not have it on AD with the value from EDL (along with any other data changes they have) but at the same time skip updating this attribute for all those users who have it on AD (but also reconcile all other changes).

Need help to figure out this scenario.

------------------------------
Sriram Kandukuri
------------------------------