Hello everyone,
I am generating a unique samaccoutname for Active Directory Source, and rule is working fine, now I would like to validate that unique generated samaccoutname with other attribute of another source for example(Source ABC). if Unique generated samaccountname is same as one of the accountattribute of source ABC, then I dont want to use that samaccountname and will append number to it.
Could anyone let me know how I can achieve this solution?
Here is what you do:
Step 1: Promote sAMAccountName in both sources as one searchable attribute
API info to do this
POST {{baseUrl}}/beta/accounts/search-attribute-config
Body
{
"name": "promotedsAMAccountName",
"displayName": "Promoted sAMAccountName",
"applicationAttributes": {
"<SourceID>": "<Attribute Name in Source Account Schema>",
"fcd994d7f2e145f0b79f8f1dfbd4c9df": "sAMAccountName",
"9e9a6f066eb14b0f9447c3e2a57b0399": "sAMAccountName"
}
}
name above can be anything unique in your tenant. Does not need to be promotedsAMAccountName
Step 2: Use attrSearchCountAccounts method of IdnRuleUtil in your rule to check if an account exists with same sAMAccountName in any of the sources listed above
Typical java code will look like this
int identityCount = idn.attrSearchCountAccounts(sourceList, "promotedsAMAccountName", "Equals", searchValue);
if (identityCount == 0) isValueUnique = true;
sourceList is a List of sourceIDs
promotedsAMAccountName should match the name in Request body from Step 1
Equals or StartsWith are the only 2 operations supported in this method
searchValue is the string you are checking for uniqueness
Thank you very much, let me work on this and will post another question if needed.
Thank you very much Nithesh, I have gone through it and one quick thing
List SOURCE_IDS = new ArrayList(Arrays.asList(new String{“4028112837fe14c70177fe1955e9032c”,“4028812877fa18c72177fs195baa0341”}));
source ids we have to hard code in our rule?
Is there any other way to maintain source ids?
Hi @singlde
I would suggest you not to hardcode these values but create a key in your AD source json under connectorAttributes map something like
"searcheable_source_ids": ["id1","id2","id3")
then in the cloud rule you can retrieve these ids using
application.getAttributeValue("searcheable_source_ids")
and then convert this array input to arrayList if needed.
The advantage of this approach will be that you do not need to reach out to SailPoint support each time while deploying the cloud rule to higher environments and you can use sp-config API to deploy the before provisioning rule and just need to ensure that you change these source ids on the AD source json.
But please make sure to add some exceptions checks in case you forgot to update these source ids on the AD source.
I hope this helps.
Regards
Vikas.
Sorry I am new to Sailpoint world, so just want to verify with experienced guys :),
is below code seems fine for my requirement in beforeProvisioning rule?
public boolean isExistInPast(String samAccountNameToCheck) throws GeneralException {
List searcheableSourceIds = (List) application.getAttributeValue(“searcheable_source_ids”);
String PROMOTED_ATTR_NAME = “promotedsAMAccountName”;
String SEARCH_OP = “StartsWith”; //Can also use “Equals”
List SEARCH_VALUES = new ArrayList(Arrays.asList(new String{samAccountNameToCheck}));
int count = idn.attrSearchCountAccounts(searcheableSourceIds, PROMOTED_ATTR_NAME, SEARCH_OP, SEARCH_VALUES);
if(count>0)
return false;
else
return true;
}