Version 8.3
Hello Experts,
How can I add two values for a user in AD create provisioning policy using the filed rule value.
if (fieldName.equalsIgnoreCase(“MemberOf”)) {
List groups = new ArrayList<>();
groups.add(“CN=test_grp,OU=Groups,DC=iiqservice,DC=com”);
groups.add(“CN=test_grp2,OU=Groups,DC=iiqservice,DC=com”);
value = groups;
}
Thanks
Hi @anshu77 ,
I think you are almost there. Can you test if you return groups?
if (fieldName.equals(“memberOf”)) {
List groups = new ArrayList<>();
groups.add(“CN=test_grp,OU=Groups,DC=iiqservice,DC=com”);
groups.add(“CN=test_grp2,OU=Groups,DC=iiqservice,DC=com”);
return groups;
}
In my code I am using field and not fieldValue.
– Remold
Hello Remold,
Thanks for the reply but still no luck. I tried multiple iterations.
if (fieldName.equals(“memberOf”)) {
List groups = new ArrayList<>(); ( This is not supported in Beanshell , I am unable to save)
groups.add(“CN=test_grp,OU=Groups,DC=iiqservice,DC=com”);
groups.add(“CN=test_grp2,OU=Groups,DC=iiqservice,DC=com”);
return groups;
}
if (fieldName.equals(“MemberOf”)) {
groups = new ArrayList();
groups.add(“CN=test_grp,OU=Groups,DC=iiqservice,DC=com”);
groups.add(“CN=test_grp2,OU=Groups,DC=iiqservice,DC=com”);
value = groups;
}
if (fieldName.equals(“MemberOf”)) {
groups = new ArrayList();
groups.add(“CN=test_grp,OU=Groups,DC=iiqservice,DC=com”);
groups.add(“CN=test_grp2,OU=Groups,DC=iiqservice,DC=com”);
Object value = groups;
}
I am able to set values using this pattern -
//Setting 'MailNickName' for the account
if( fieldName.equalsIgnoreCase("mailNickname") ){
value = (String) identity.getAttribute("username");
}
Thanks
Anshu
Are you sure you giving correct case when you are testing, it should be memberOf not MemberOf?
Hi Anshu,
You can also add these groups in beforeProvisioning for Active Directory Rule.
Thanks for the reply, Satish, yes, I am adding MemberOf , I tried to provide the direct I am able to add user in single group but for two groups it’s not working.
Hi Amit,
Thank you for the reply. Let me check this one.
Thanks
Anshu
Please change this from MemberOf to memberOf
if (fieldName.equals(“memberOf”)) {
groups = new ArrayList();
groups.add(“CN=test_grp,OU=Groups,DC=iiqservice,DC=com”);
groups.add(“CN=test_grp2,OU=Groups,DC=iiqservice,DC=com”);
value = groups;
return value;
Also please share your rule and plan xml you see in provisioning transaction once.
Also here direct means instead of rule, you gave the value directly?
Also instead of rule, you can try a script as below as well for that particular field.
import java.util.List;
import java.util.ArrayList;
List groups = new ArrayList();
groups.add(“CN=test_grp,OU=Groups,DC=iiqservice,DC=com”);
groups.add(“CN=test_grp2,OU=Groups,DC=iiqservice,DC=com”);
return groups;
Thanks a lot Satish. This is working. I can finally add values.
import java.util.List;
import java.util.ArrayList;
List groups = new ArrayList();
groups.add(“CN=test_grp,OU=Groups,DC=iiqservice,DC=com”);
groups.add(“CN=test_grp2,OU=Groups,DC=iiqservice,DC=com”);
return groups;
Thanks Satish, I am not sure why I am unable to add values using field rule value.
Definitely some case issues with field name, however , gald this worked.
You can share the rule if you still wanted to debug on why that is not working.
Sure Thanks again for the reply. I have got this code from search and updated the values accordingly. It’s stamping most of the values except member of.
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Rule PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<Rule created="1698247661112" id="0a200a0c8b671090818b6772d637007c" language="beanshell" modified="1707384531897" name="Active Directory Accounts Field Value Rule" type="FieldValue">
<Description>This rule can be used to generate a field value (eg - an account name) using data from the given Identity. If this rule is run in the context of a workflow step then the arguments passed into the step will also be available. Also, any field values that have been processed so far from the policy related to the Application/Role will be available.</Description>
<Signature returnType="String">
<Inputs>
<Argument name="log" type="org.apache.commons.logging.Log">
<Description>
The log object associated with the SailPointContext.
</Description>
</Argument>
<Argument name="context" type="sailpoint.api.SailPointContext">
<Description>
A sailpoint.api.SailPointContext object that can be used to query the database if necessary.
</Description>
</Argument>
<Argument name="identity" type="Identity">
<Description>
The Identity object that represents the user needing the field value.
</Description>
</Argument>
<Argument name="link" type="Link">
<Description>
The sailpoint.object.Link that is being acted upon. If the link is not applicable,
this value will be null.
</Description>
</Argument>
<Argument name="group" type="AccountGroupDTO">
<Description>
The sailpoint.web.group.AccountGroupDTO that is being acted upon. If the AccountGroupDTO
is not applicable, the value will be null.
</Description>
</Argument>
<Argument name="project" type="ProvisioningProject">
<Description>
The provisioning project being acted upon. If a provisioning project is not applicable,
the value will be null.
</Description>
</Argument>
<Argument name="accountRequest" type="ProvisioningPlan.AccountRequest">
<Description>
The account request. If an account request is not applicable, the value will be null.
</Description>
</Argument>
<Argument name="objectRequest" type="ProvisioningPlan.ObjectRequest">
<Description>
The object request. If an object request is not applicable, the value will be null.
</Description>
</Argument>
<Argument name="role" type="Bundle">
<Description>
The role with the template we are compiling. If the role is
not applicable, the value will be null.
</Description>
</Argument>
<Argument name="application" type="Application">
<Description>
The sailpont.object.Application with the template we are compiling. If the application
is not applicable, the value will be null.
</Description>
</Argument>
<Argument name="template" type="Template">
<Description>
The Template that contains this field.
</Description>
</Argument>
<Argument name="field" type="Field">
<Description>
The current field being computed.
</Description>
</Argument>
<Argument name="current" type="Object">
<Description>
The current value corresponding to the identity or account attribute that the field represents.
If no current value is set, this value will be null.
</Description>
</Argument>
<Argument name="operation" type="ProvisioningPlan.Operation">
<Description>
The operation being performed.
</Description>
</Argument>
</Inputs>
<Returns>
<Argument name="value">
<Description>
The string value created.
</Description>
</Argument>
</Returns>
</Signature>
<Source>import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.log4j.Logger;
import sailpoint.api.PasswordGenerator;
import sailpoint.object.PasswordPolicy;
import java.util.ArrayList;
import java.util.List;
import java.text.SimpleDateFormat;
import java.util.Date;
import sailpoint.object.ProvisioningPlan;
import sailpoint.object.ProvisioningPlan.ObjectRequest;
import sailpoint.integration.ProvisioningPlan.ObjectRequest;
import sailpoint.object.Identity;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
private static Log adFVRLogger = LogFactory.getLog("rule.Rule_AD_Field_Value_Rule");
adFVRLogger.trace("------------Inside Rule_AD_Field_Value_Rule ------------------------- for : "+identity.getName());
// Initialize the logger
String value = null;
String fieldName = null;
String location = null;
String s = "ctd-";
//s = "Hello " + s;
//Null check for field
if(null==field){
adFVRLogger.error("Error in Rule_AD_Field_Value_Rule. field is null");
return null;
}
fieldName = field.getName();
if(null==fieldName || fieldName.isEmpty()){
adFVRLogger.error("Error in Rule_AD_Field_Value_Rule. fieldName is null or empty");
return null;
}
//Null check for identity
if( null==identity ){
adFVRLogger.error("error in Rule_AD_Field_Value_Rule. Identity is null");
}
//Obtaining 'location' attribute of the identity to query the 'locations' table and populate possible values for fields
location = (String) identity.getAttribute("location");
//set field value according to attribute request from the original plan
if(null!=accountRequest && null!=accountRequest.getAttributeRequest(fieldName)){
if( null!=accountRequest.getAttributeRequest(fieldName).getValue() && !((String)accountRequest.getAttributeRequest(fieldName).getValue()).isEmpty() ){
value=(String) accountRequest.getAttributeRequest(fieldName).getValue();
return value;
}
}
// if( fieldName.equalsIgnoreCase("extensionAttribute1") ){
// String hireDate = identity.getAttribute("ServiceDate");
// if(null!=hireDate && !hireDate.isEmpty()){
// SimpleDateFormat simpleDateFormat = new SimpleDateFormat("MM/dd/yyyy hh:mm:ss a");
// Date date = simpleDateFormat.parse(hireDate);
// SimpleDateFormat sdf = new SimpleDateFormat("MM/dd/yyyy");
// value = "HireDate_"+sdf.format(date);
// }
// else{
// value="";
// }
// }
// if( fieldName.equalsIgnoreCase("extensionAttribute2") ){
// value = "Code_"+identity.getAttribute("employeeId");
// }
// if( fieldName.equalsIgnoreCase("extensionAttribute3") ){
// value = "ADCreated_"+(new SimpleDateFormat("MM/dd/yyyy").format( new Date() ));
// }
// if( fieldName.equalsIgnoreCase("sAMAccountName") ){
// value = (String) identity.getAttribute("userName");
// }
// if( fieldName.equalsIgnoreCase("sAMAccountName") ){
// value = (String) identity.getAttribute("NetworkID");
// }
//if (fieldName.equalsIgnoreCase("sAMAccountName")) {
// String networkID = (String) identity.getAttribute("NetworkID");
// if (networkID != null) {
// value = "iiqq" + networkID;
// }
//}
if (fieldName.equalsIgnoreCase("sAMAccountName")) {
String networkID = (String) identity.getAttribute("NetworkID");
if (networkID != null) {
value = "iiqq-" + networkID;
}
}
//if( fieldName.equalsIgnoreCase("sAMAccountName") ){
// value = s + "(String) identity.getAttribute("userName")";
//}
// if (fieldName.equalsIgnoreCase("sAMAccountName")) {
// String samAccountName = (String) identity.getAttribute("userName");
// if (samAccountName != null) {
// value = "iiqq" + samAccountName;
// }
//}
if( fieldName.equalsIgnoreCase("primaryGroupDN") ){
value = "CN=Domain Users,CN=Users,DC=company,DC=org,DC=com";
}
if( fieldName.equalsIgnoreCase("displayName") ){
String requesteePrefname = identity.getStringAttribute("preferredName");
String requesteeDispName = ((null !=requesteePrefname && !requesteePrefname.isEmpty() ) ? requesteePrefname : identity.getFirstname()) + " " + identity.getLastname();
value = requesteeDispName;
}
if( fieldName.equalsIgnoreCase("givenName") ){
value = identity.getFirstname();
}
if( fieldName.equalsIgnoreCase("sn") ){
value = identity.getLastname();
}
if( fieldName.equalsIgnoreCase("description") ){
value = (String) identity.getAttribute("title");
}
if( fieldName.equalsIgnoreCase("title") ){
value = (String) identity.getAttribute("title");
}
if( fieldName.equalsIgnoreCase("department") ){
value = (String) identity.getAttribute("department");
}
if( fieldName.equalsIgnoreCase("Manager") ){
if( null != identity.getManager() && null != identity.getManager().getLink(application) ){
value = (String) identity.getManager().getLink(application).getAttribute("distinguishedName");
}
}
if (fieldName.equals(“memberOf”)) {
groups = new ArrayList();
groups.add(“CN=test_grp,OU=Groups,DC=iiqservice,DC=com”);
groups.add(“CN=test_grp2,OU=Groups,DC=iiqservice,DC=com”);
value = groups;
return value;
//Setting ScriptPath to default value for the account
if( fieldName.equalsIgnoreCase("ScriptPath") ){
value = "logon.vbs";
}
//Setting 'Object Type' for the account
if( fieldName.equalsIgnoreCase("ObjectClass") ){
value = "User";
}
//Setting 'employeeType' for the account
if( fieldName.equalsIgnoreCase("employeeType") ){
value="Employee";
if( null != identity.getAttribute("employeeType") ){
value = (String) identity.getAttribute("employeeType");
}
}
//Setting 'distinguishedName' for the account
// if( fieldName.equalsIgnoreCase("distinguishedName") ){
// value = "CN="+identity.getAttribute("displayName")+",OU="+identity.getAttribute("team")+",OU="+identity.getAttribute("businessUnit")+",OU="+identity.getAttribute("department")+",OU=Employees,OU=Systems,DC=company,DC=org,DC=com";
// }
//Setting 'distinguishedName' for the account
// if( fieldName.equalsIgnoreCase("distinguishedName") ){
// value = "CN="+identity.getAttribute("displayName")+",OU="+identity.getAttribute("team")+",OU="+identity.getAttribute("businessUnit")+",OU="+identity.getAttribute("department")+",OU=Employees,OU=Systems,DC=company,DC=org,DC=com";
// String strNetworkId = identity.getAttribute("NetworkID").toLowerCase();
// value = "CN=" + strNetworkId + "," + "," + "CN=Users,DC=iiqservice,DC=com";
// }
// if( fieldName.equalsIgnoreCase("distinguishedName") ){
// If the condition is true, execute the following block of code.
// Get the "NetworkID" attribute from the "identity" object and convert it to lowercase.
// String strNetworkId = identity.getAttribute("NetworkID").toLowerCase();
// Construct a distinguished name using the strNetworkId and other strings.
// value = "CN=" + strNetworkId + "," + "," + "CN=Users,DC=iiqservice,DC=com";
//}
if (fieldName.equalsIgnoreCase("distinguishedName")) {
// If the condition is true, execute the following block of code.
// Get the "NetworkID" attribute from the "identity" object and convert it to lowercase.
String strNetworkId = identity.getAttribute("NetworkID").toLowerCase();
// Construct a distinguished name by adding "iiqq-" before strNetworkId and other strings.
value = "CN=iiqq-" + strNetworkId + ",CN=Users,DC=iiqservice,DC=com";
}
//Setting 'City' for the account
// if( fieldName.equalsIgnoreCase("l") ){
// value = (String) identity.getAttribute("location");
// }
//Setting 'Password' for the account
// if( fieldName.equalsIgnoreCase("Password") ){
// value = (String) generatePassword();
// }
// if (fieldName.equalsIgnoreCase("Password")) {
// Generate or set the password here
// String newPassword = "newPassword123"; // Replace this with your desired password
// Assign the password to the 'value' variable
// value = newPassword;
//}
// if (fieldName.equalsIgnoreCase("Password")) {
// Generate or set the password here
// String policyName = "iiq_User_PasswordPolicy";
// PasswordPolicy policy = context.getObjectByName(PasswordPolicy.class, policyName);
// String newPassword = new PasswordGenerator(context).generatePassword(policy);
// String newPassword = "newPassword123"; // Replace this with your desired password
// Assign the password to the 'value' variable
// value = newPassword;
// }
//if (fieldName.equalsIgnoreCase("Password")) {
// Field name is "Password," so we need to generate or set a new password
// Define the name of the password policy
// String policyName = "iiq_User_PasswordPolicy";
// Retrieve the password policy by its name
//PasswordPolicy policy = context.getObjectByName(PasswordPolicy.class, policyName);
// Generate a new password based on the policy
//String newPassword = new PasswordGenerator(context).generatePassword(policy);
// You can use the line below to set a specific password if needed
// String newPassword = "newPassword123"; // Replace this with your desired password
// Assign the generated password to the 'value' variable
//value = newPassword;
//}
// if (fieldName.equalsIgnoreCase("Password")) {
// logger.trace("Enter AD password rule");
// PasswordPolicy pp = context.getObjectByName(PasswordPolicy.class, "iiq_User_PasswordPolicy");
// PasswordGenerator pg = new PasswordGenerator(context);
// String newPassword = context.decrypt(pg.generatePassword(pp));
// Assign the generated password to the 'value' variable
// value = newPassword;
//}
if (fieldName.equalsIgnoreCase("Password")) {
// This block of code will execute if 'fieldName' is equal to "Password."]
// Logging a trace message
// logger.trace("Enter AD password rule");
// Retrieving a PasswordPolicy object
PasswordPolicy pp = context.getObjectByName(PasswordPolicy.class, "iiq_User_PasswordPolicy");
// Creating a PasswordGenerator
PasswordGenerator pg = new PasswordGenerator(context);
// Generating a new password based on the PasswordPolicy
String newPassword = context.decrypt(pg.generatePassword(pp));
// Assigning the generated password to the 'value' variable
value = newPassword;
}
//if (fieldName.equalsIgnoreCase("Password")) {
//String policyName = "iiq_User_PasswordPolicy";
// PasswordPolicy policy = context.getObjectByName(PasswordPolicy.class, policyName);
//String password = new PasswordGenerator(context).generatePassword(policy);
// value = password;
//}
//Setting 'physicalDeliveryOfficeName' for the account
if( fieldName.equalsIgnoreCase("physicalDeliveryOfficeName") ){
value = (String) identity.getAttribute("location");
}
///////// ALL OF THE ABOVE ARE WORKING /////////////////
//////// BELOW ARE WHAT I'M ADDING AND DON'T GET ADDED ///////////
//Setting 'Company' for the account
if( fieldName.equalsIgnoreCase("Company") ){
value="My Company, Inc.";
if( "Pune" = identity.getAttribute("location") ){
value = "Company India. Ltd.";
}
}
//Setting 'City' for the account
if( fieldName.equalsIgnoreCase("City") ){
value = (String) identity.getAttribute("location");
}
//Setting 'EmailAddress' for the account
if( fieldName.equalsIgnoreCase("EmailAddress") ){
value = (String) identity.getAttribute("email");
}
if( fieldName.equalsIgnoreCase("mail") ){
value = (String) identity.getAttribute("email");
}
//Setting 'MailNickName' for the account
if( fieldName.equalsIgnoreCase("mailNickname") ){
value = (String) identity.getAttribute("username");
}
//Setting 'Enabled' to true for "Employee" account
if( fieldName.equalsIgnoreCase("Enabled") ){
value="False";
if( "Employee" = identity.getAttribute("employeeType") ){
value = "True";
}
}
//Setting 'Name' for the account
if( fieldName.equalsIgnoreCase("Name") ){
value = (String) identity.getAttribute("displayName");
}
//Setting 'UPN' for the account
// if( fieldName.equalsIgnoreCase("UserPrincipalName") ){
// value = (String) identity.getAttribute("email");
// }
// Setting 'UPN' for the account
if (fieldName.equalsIgnoreCase("UserPrincipalName")) {
String networkID = (String) identity.getAttribute("NetworkID");
if (networkID != null) {
value = "iiqq-" + networkID + "@iiqiiqq.com";
}
}
// extensionAttribute1
//if (fieldName.equalsIgnoreCase("extensionAttribute1")) {
// String inactiveI = (String) identity.getAttribute("InactiveIndicator");
// String serviceDate = (String) identity.getAttribute("ServiceDate");
// String terminationDate = (String) identity.getAttribute("TerminationDate");
// String val = "";
// if ("A".equalsIgnoreCase(inactiveI)) {
// val = inactiveI + " " + (serviceDate != null ? serviceDate : "DefaultServiceDate");
// }
//if ("I".equalsIgnoreCase(inactiveI)) {
// val = inactiveI + " " + (terminationDate != null ? terminationDate : "DefaultTerminationDate");
// }
//return val.trim();
//}
//extensionAttribute1
// if (fieldName.equalsIgnoreCase("extensionAttribute1")) {
// String inactiveI = identity.getAttribute("InactiveIndicator");
//String val = "";
//if ("A".equalsIgnoreCase(inactiveI)) {
// Concatenate "A" and the ServiceDate
// val = inactiveI + " " + identity.getAttribute("ServiceDate");
// }
// if ("I".equalsIgnoreCase(inactiveI)) {
// Concatenate "I" and the TerminationDate
// val = inactiveI + " " + identity.getAttribute("TerminationDate");
// }
// Trim the final value
// return val.trim();
//}
// extensionAttribute1
//if (fieldName.equalsIgnoreCase("extensionAttribute1")) {
// String value = (String) identity.getAttribute("ServiceDate");
// return value;
//}
if (fieldName.equalsIgnoreCase("extensionAttribute1")) {
// If the fieldName is "extensionAttribute1" (case-insensitive),
// enter this block of code.
String value = (String) identity.getAttribute("ServiceDate");
// Retrieve the value associated with the "ServiceDate" attribute from the 'identity' object
// and store it in the 'value' variable.
return value;
// Return the 'value'.
}
// extensionAttribute2
if (fieldName.equalsIgnoreCase("extensionAttribute2")) {
String employmentType = (String) identity.getAttribute("EmploymentType");
return employmentType != null ? employmentType : "DefaultEmploymentType";
}
if(!fieldName.equalsIgnoreCase("password"))
adFVRLogger.trace("------------Leaving Rule_AD_Field_Value_Rule -------------------------. Set field '"+fieldName+"' to "+value);
return value;</Source>
</Rule>
I see some syntax issues here, this loop is not ending correctly in the code you pasted
if (fieldName.equals(“memberOf”)) {
groups = new ArrayList();
groups.add(“CN=test_grp,OU=Groups,DC=iiqservice,DC=com”);
groups.add(“CN=test_grp2,OU=Groups,DC=iiqservice,DC=com”);
value = groups;
return value;
Also " are different from the other fields, can you attach the exact rule as xml or make sure you correct the closures of if loop and " and try
Thanks again. Sorry about that actually I struggled a lot with field value rule for memberof. I am able to add one group but when I add second group in the value it’s not working. I posted this in compass and Sunny suggested that “put those two groups in a list and add that list to the attribute request or return the list.”
I tried around 15-20 different iterations/rules but nothing worked.
if (fieldName.equals(“memberOf”)) {
groups = new ArrayList();
groups.add(“CN=test_grp,OU=Groups,DC=iiqservice,DC=com”);
groups.add(“CN=test_grp2,OU=Groups,DC=iiqservice,DC=com”);
value = groups;
return value;
}
This is the exact rule only I am stamping only few values like samaccountname , firstname , lastname etc which I have added in the provisioning policy.
Hi, for creating group in active directory how to write the provisioning code can you tell me.
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.