I do not like to have inline provisioning policies. I like to keep them as a separate form object. The reasons I like to do this revolve around the concept of modularity. For the same reason, I prefer to use rules for the value section of a Field in a provisioning policy instead of using a script. This does not necessarily mean I advocate for use of the SSF Field Value framework. It's as simple as this: if you are using inline scripts and inline provisioning policies, a small change to a script, by the "butterfly effect" requires regression testing of every function of that application. THIS IS REAL !! Modularizing these make changes in one module require testing only of the module that was affected.
Let's look at the first and most often needed model: Active Directory.
The provisioning polices on the Active Directory application are:
Account (for account creation)
Create Group (for group creation)
Update Group (for group update)
We'll start with the account create policy.
Start by creating a new Form object in the Form editor. Do this by opening the Forms UI (Gear Icon -> Global Settings -> Forms). Click Create Form and select Application Provisioning Policy Form as the form type.
Make the form name descriptive and compliant with your naming standards, but should include Active Directory Account Create or abbreviations of such in the name. Add a description and save it.
Next, open debugger, select and open the Active Directory application, and find the first Form object in the ProvisioningForms tag. Find and select all of the Section objects just until the end of the form object. Copy this data to the clipboard. Close the debug editor. Select and open the Form object you just opened, and copy that data inside the Form object tags. Example:
Cut from the bolded lines to the bolded lines:
<ProvisioningForms>
<Form name="Account" objectType="account" type="Create">
<Attributes>
<Map>
<entry key="pageTitle" value="Account"/>
</Map>
</Attributes>
<Section label="Account" name="Account">
<Field displayName="con_prov_policy_ad_objecttype" name="objectType" postBack="true" reviewRequired="true" section="Account" type="string" value="User">
<AllowedValuesDefinition>
<Value>
<List>
...
<Field displayName="con_prov_policy_ad_msDSManagedPasswordInterval" helpKey="help_con_prov_policy_ad_msDSManagedPasswordInterval" name="msDS-ManagedPasswordInterval" reviewRequired="true" section="gmsa" type="string"/>
<Field displayName="con_prov_policy_ad_msDSGroupMSAMembership" helpKey="help_con_prov_policy_ad_msDSGroupMSAMembership" multi="true" name="msDS-GroupMSAMembership" reviewRequired="true" section="gmsa" type="string"/>
<Field displayName="con_prov_policy_ad_msDSAllowedToActOnBehalfOfOtherIdentity" helpKey="help_con_prov_policy_ad_msDSAllowedToActOnBehalfOfOtherIdentity" multi="true" name="msDS-AllowedToActOnBehalfOfOtherIdentity" reviewRequired="true" section="gmsa" type="string"/>
<Field displayName="con_prov_policy_ad_ServicePrincipalNames" helpKey="help_con_prov_policy_ad_ServicePrincipalNames" multi="true" name="servicePrincipalName" reviewRequired="true" section="gmsa" type="string"/>
</Section>
</Form>
<Form name="Create Group" objectType="group" type="Create">
<Attributes>
<Map>
<entry key="pageTitle" value="Create Group"/>
Paste this into the form object.
<Form created="1674018819927" id="ac100a5085c013c08185c34c0f5704d7" name="Active Directory Account Create" type="Application">
<Attributes>
<Map>
<entry key="pageTitle" value="Active Directory Account Create"/>
</Map>
</Attributes>
HERE
<Description>Form for creating an Active Directory account</Description>
</Form>
Save.
Now go back to the application in the UI. Delete the Account policy and replace with the form.
