Deconstructing a Provisioning Plan in SailPoint

Amit Kumar Gupta
2 min readJan 18, 2023

In this article, we will see all the information present inside a provisioning plan. Before we start, make sure you have read our last article about what is Provisioning Plan in Sailpoint.

So let’s begin.

At a high level, the provisioning plan contains two things -

  1. Identity
  2. List of Account Requests

Here Identity is the subject on which all the operations will be performed.
In addition, A provisioning plan further contains a list of Account requests.

Provisioning plan in Sailpoint  — High Level design
Provisioning plan [high-Level design] posted by Identityclasses on Sailpoint Training for beginner

AccountRequest Object in Sailpoint

The account request object contains fundamental information required for provisioning Operations.

In simple words, it answers — On which application what operation needs to be performed. To support the operation, If any data is required then it needs to be passed using AttributeRequest Object.

AccountRequest Object in Provisioning Plan in Sailpoint
AccountRequest Object inside Provisioning Plan in Sailpoint — posted by Identityclasses on Sailpoint Training for beginner

As you can see in the above picture, AccountRequest Object Primarily contains —

  1. Native Identifier of the account
  2. Operation — Here AccountRequest Obj also contains the operation that needs to be performed. It can be Create Account, Modify Account, Lock Account, and so on.
  3. AttributeRequest Objects — Depending upon the operation type, some additional information may be required. For example — If we want to create a user in Active Directory, We need to pass userPrincipalName, sAMAccountName, givenName, sn, mail, and other mandatory attributes. All these data need to be passed using AttributeRequest Objects.

AttributeRequest Object in SailPoint

An AttributeRequest contains an operation and a name/value pair.

Attribute Request in Sailpoint
AttributeRequest Object inside Provisioning Plan in Sailpoint — posted by Identityclasses on Sailpoint Training for beginner

Let’s say you wanted to create a user account in Active Directory, as mentioned above we need to pass the mandatory attribute in order to create the account. These attributes will be passed using AttributeRequest Object.

 <AttributeRequest name="objectType" op="Set" value="User"/>
<AttributeRequest name="sAMAccountName" op="Set" value="1c"/>
<AttributeRequest name="password" op="Set" value="Oracle@123">

Watch out for the below video for more clarification.

--

--

Amit Kumar Gupta

🎖️ Founder of identityclasses | 👨‍💻 IAM Expert — Saviynt, SailPoint, OKTA, OIM, OIG, OUD | Professional Trainer