Provisioning to Active Directory

Dear community,

I would like to ask about the options for controlling the movement of user accounts in AD between OUs that are subordinate to the BaseDN.

My case:
I have OUs in AD divided into two main branches based on office locations, and under them are subordinate OUs with users. For each branch, I have created a managed system and defined business rules, which control into which OU a newly created account is placed.
However, I would like to manage the placement of accounts into further subordinate OUs within these branches when the identity in OpenIAM transitions to LEAVE or DISABLED status, so that the account is moved in AD to a container reserved for such cases.

How are such situations typically handled in OpenIAM? Is there a built-in function for this, or would it be necessary to extend the PS connector with some custom logic to handle this?

Thank you in advance for any advice or comments.
Jan

You can handle this by creating a dedicated organization in OpenIAM for accounts in LEAVE or DISABLED status and defining the corresponding organizational unit (OU) within it.

Additionally, you will need to update the OU mapping logic in the policy map script to ensure that the correct OU is picked for users in these states. The script should read the assigned organization and map it to the appropriate OU for “disabled” or “leave” cases.