After modify Rule -How to get identity Attribute in powershell via IQService?

Hi everyone,

I’m currently working on an After Operation Rule in ISC and I’m using PowerShell via IQService.

My requirement is to retrieve a specific identity attribute (e.g., email, lastname, or a custom attribute like calculatedPrimaryEmailDomain) inside the PowerShell script.

However, I’m unable to access the identity attribute from the PowerShell side, even though the attribute is available in the Identity Profile and visible in the UI.

What I’ve tried:
• Using Get-AttributeValueFromAccountRequest function inside PowerShell
• Attempting to log $AccountRequest and $Plan objects for debugging

My questions:

1. What are the reliable ways to pass identity attributes to PowerShell via IQService in an After Operation Rule?
2. Is there a SailPoint-recommended method to reference identity attributes from within PowerShell scripts used in rules?

Thanks!

Hi @saikumarS - connector rule doesn’t have access to identity data. To pass identity data during account creation, you must first map the identity attribute to an account attribute. This is done by configuring a Create Account policy , which allows the identity attribute to be passed through the provisioning process.

hi, as Sahil mentioned you cannot call the specified functions to get an identity attribute. You need to think of sending identity attributes in your AccountRequest. This depends on the operation you are going to perform.
For Create Account: As Sahil mentioned you can add them in Create Account profile.
For Modify/Enable/Disable: As per SailPoint you need to use a Before Provisioning Rule to send identity attribute. A sample logic would start from the plan

Identity planIdentity = plan.getIdentity();
String calculatedPrimaryEmailDomain= (String) planIdentity.getAttribute("calculatedPrimaryEmailDomain");

@saikumarS you can use the below rule

{
“description”: “This rule if for aggregation hrms Operation”,
“type”: “ConnectorAfterCreate”,
“signature”: {
“input”: ,
“output”: null
},
“sourceCode”: {
“version”: “1.0”,
“script”: " \n$logDate = Get-Date -UFormat "%Y%m%d" \n$logFile = "C:\Users\domaincon\Downloads\logs\ConnectorAfterCreate_$logDate.log" \n$command = "C:\Users\domaincon\Downloads\Untitled1.ps1" \n$enableDebug = $false \n \n#====================-------Helper functions-------==================== \nfunction LogToFile([String] $info) { \n $info | Out-File $logFile -Append \n} \n \n#====================-------Get the request object-------==================== \nTry{ \n if($enableDebug) { \n LogToFile("Entering SailPoint rule") \n } \n \n Add-type -path utils.dll; \n $sReader = New-Object System.IO.StringReader([System.String]$env:Request); \n $xmlReader = System.xml.XmlTextReader; \n $requestObject = New-Object Sailpoint.Utils.objects.AccountRequest($xmlReader); \n $requestAsString = $env:Request \n \n if($enableDebug) { \n LogToFile("Request as XML object is: $requestAsString") \n } \n \n #Call the client script \n & $command $requestAsString \n \n}Catch{ \n $ErrorMessage = $.Exception.Message \n \t$ErrorItem = $.Exception.ItemName \n \tLogToFile("Error: Item = $ErrorItem → Message = $ErrorMessage") \n} \n \nif($enableDebug) { \n LogToFile("Exiting SailPoint rule") \n}"
},
“attributes”: {
“ObjectOrientedScript”: “true”,
“extension”: “.ps1”,
“sourceVersion”: “1.0”,
“disabled”: “false”,
“program”: “powershell.exe”,
“timeout”: “300”
},

    "name": ""
    
    
}

Hello Sai,

There is no way you can access the Identity Attributes directly from CONNECTOR RULE. CONNECTOR RULES do not have access to IDENTITY ATTRIBUTES at all but it can access the attributes which is passed to it through “PROVISIONING PLAN”. Hence, you can say it can access the account attributes that are present in provisioning plan.

Therefore, if you want to get any identity attribute into your AFTER CONNECTOR RULE for any kind of manipulations, then, there are following ways to bring it.

APPROACH 1

1. Create an attribute in the CREATE ACCOUNT PROFILE of the source.
2. Map it to respective identity attribute
3. If you don’t want this attribute to be passed in the ACTIVE DIRECTORY, then, you can exclude that account attribute from provisioning by adding below JSON in the source.

 "excludeAttributesFromProvisioning": [
            "<ACCOUNT_ATTR_NAME"
        ]

APPROACH 2

1. Manipulate the attributes in the before provisioning cloud rule as CLOUD RULE Has access to identity attribute object
2. If you don’t want this attribute to be passed in the ACTIVE DIRECTORY, then, you can exclude that account attribute from provisioning by adding below JSON in the source.

 "excludeAttributesFromProvisioning": [
            "<ACCOUNT_ATTR_NAME"
        ]

By excluding the account attribute, your after connector rule will receive the attribute through provisioning plan which you can use for further dynamic manipulations but it wont be sending that attribute to AD domain controller for provisioning.

Using APPROACH 1 will be better as you don’t have to include SAILPOINT to deploy the CLOUD RULE and control of execution for that attribute will be with you.

I simply call the Search API whenever I need an identity attribute inside the PowerShell script run by the Native AD rules

Hello @saikumarS , you can use Sail powershell module and then you can retrieve the identity and whatever you want to retrieve identity attributes - PowerShell SDK | SailPoint Developer Community