Account selector rule not working as expected

Hi all,

We have one business role and four IT roles under it. One of the IT roles has an account selector rule which returns the link if the account is an administrator account and null otherwise.

Now the problem that we are facing is even when a user does not have this administrator account, this IT role and the entitlement tagged to it is being provisioned.

Even in the logs we can see that the account selector rule is returning null if it isn’t able to find the ADM link.

Am I missing something.

Thanks in advance

In your case where the user does not have an admin account, what should the expected behavior be? Create an admin account, choose other account, or prevent assignment?

Hi @rishavghoshacc

Can you please explain your expected behavior. Then it will be easier for us to provide you some suggestion.

@robert-hails In the case of an user not having an admin account, the role should not be provisioned to the normal account. The issue is that the role is being provisioned to the normal account.

@msingh900 When a user has both admin AD and normal AD, the role is provisioned to the admin AD account. This is expected and is working

The issue is when we have an user with only a normal AD account, the role still gets provisioned to the normal AD account. In the logs we see that the account selector rule is returning null, but the role still gets provisioned

Can you please send me the rule that you are using or screenshot of the configuration if you have done any.

@msingh900

import sailpoint.object.Link;
import org.apache.log4j.Logger;

  if(links!=null){

    for(Link link : links){
      if(link!=null){
        String accName = link.getAttribute("sAMAccountName");
        if(accName!=null){
          log.error("Test - accName= " + accName);
          if(accName.toUpperCase().endsWith("ADM")){
            log.error("Test - Returning admlink ");
            return link;
          } else {
            return null;
          }
        } else {
          return null;
        }
      } else {
        return null;
      }
    }
  } else {
    return null;
  }
  log.error("Test - Returning null ");
  return null;

That makes sense from what you are saying. The AccountSelector Rule is not where to handle this behavior.

The return value of an AccountSelector Rule is a Link instance that represents the selection. Value can be:

null - indicates that no automatic selection can be made

“prompt” - indicates that a separate account selector should be presented for the role

existing Link - the selected Link from the list of possible target Links

a new Link instance - indicates that a new account must be created with the identity specified by the create policy, or manually; in this case, the Link instance returned will have a null nativeIdentity attribute

Returning null here does not prevent the provisioning of this role to an account. To prevent the role from being assigned, there are a few ways to handle this

• Advanced SOD Policy
• Modifying birth right role assignment logic (if this is a birthright role)

Hope this helps!

This rule is fine. Account Selector Rule is working as expected. Here you can add Assignment Rule logic to achieve the usecase.

@rishavghoshacc How is the business role is assigned to the user?
If it is automatically assigned, then you write a rule/script as assignment rule and return true for identities having normal and admin accounts and then it’ll use the account selector to select the account where you can return the link which you want to assign.

If this is being assigned via Manage User Access,then you can modify your RequestObjectSelector rule available inside the QuickPopulation where the roles will only be visible to the user having both accounts.

Note: Found a fix?Help the community by marking the comment as solution. Feel free to react(,, etc.)with an emoji to show your appreciation or message me directly if your problem requires a deeper dive.