Assistance Needed for samAccount Creation Logic Issue

Identity Security Cloud (ISC) ISC Discussion and Questions
,
1

Hi Team,

Could someone please assist with the following issue?

The logic I use for creating a samAccount is (“$(idealFirstname).$(idealLastName)$(uniqueCounter)”) but it fails when the first name is 19 characters long. This occurs because Active Directory does not accept a period as the last character. According to our new logic, if the first name is 19 characters, we need to use the format firstinitial.lastname(uniqueCounter). Otherwise, it should follow the existing format of firstname.lastname(uniqueCounter).

Please adhere to the rule “Create Unique LDAP Attribute.”

2

This Logic I have used.

{
            "name": "sAMAccountName",
            "transform": {
                "type": "rule",
                "attributes": {
                    "name": "Create Unique LDAP Attribute"
                }
            },
            "attributes": {
                "template": "$(idealFirstname).$(idealLastName)$(uniqueCounter)",
                "cloudMaxUniqueChecks": "50",
                "sourceCheck": true,
                "cloudMaxSize": "20",
                "cloudRequired": "true"
            },
            "isRequired": false,
            "type": "string",
            "isMultiValued": false
        }
3

Hi,

You can create an one more identity attribute for idealFirstname. In that attribute use the velocity script and check if idealFirstname is more that 19 chars then take first letter of firstname else use full firstname and use the new identityAttribute in the create profile.

Transform will look something like below.

{
	"name":"ADIdealFirstName",
	"type":"static",
	"attributes":{
		"getIdealFirstName":{
			"attributes":{
				"name":"idealFirstname"
			},
			"type":"identityAttribute"
		},
		"value":"#{if}($getIdealFirstName.length()>2)$getIdealFirstName.substring(0,1)#{else}$getIdealFirstName#{end}"
	}
}

-Abhinov

4

HI Abhinov,
Thanks for reply. Is it possible to calculate new value in Samaccount attribute in create Provisioning .

5

Hi,

Can you try below? It should work.

{
    "name": "sAMAccountName",
    "transform": {
        "type":"static",
		"attributes":{
			"getIdealFirstName":{
				"attributes":{
					"name":"idealFirstname"
				},
				"type":"identityAttribute"
			},
			"getLastName":{
				"attributes":{
					"name":"idealLastName"
				},
				"type":"identityAttribute"
			},
			"value":"#{if}($getIdealFirstName.length()>2)$getIdealFirstName.substring(0,1).$getLastName${uniqueCounter}#{else}$getIdealFirstName.$getLastName${uniqueCounter}#{end}"
		}
    },
    "attributes": {
        "template": "$sAMAccountName",
		"cloudMaxUniqueChecks": "50",
		"sourceCheck": true,
		"cloudMaxSize": "20",
		"cloudRequired": "true"
    },
    "isRequired": false,
    "type": "string",
    "isMultiValued": false
}

-Abhinov

6

Hi @poison001

Yes, you can even create this samaccountname during the create provisioning policy but i believe you will anyways needs this generated samAccountname on identity Attribute level as you can then use it for other application provisioning or many other purposes.

So either you can keep it on the account creation policy and then receive it from AD during Aggregation as an identity profile or you can even also create it as an identity attribute and generate it on identity level.

But both of these processes may fails if there is a duplicate samAccountName generated so may be worth to test that scenario as well, if it fails then you will need to use the cloud rule for generating the samAccountName.

I hope this helps.

Regards
Vikas

1 Like