Best way to clear an identity attribute when the source attribute becomes null or empty

Which IIQ version are you inquiring about?

Version 8.X

Share all details related to your problem, including any error messages you may have received.

What would be the best way to empty an an identity attribute when the source attribute becomes null or empty.

Use-cases:

  • Correcting data in the authoritative source
  • Data Minimization
  • Employee Exit, like remove job name

Within IdentityIQ when setting a Source Attribute Mapping for an Identity Attribute will not result in emptying the Identity Attribute. The attribute is not aggregated, therefore the Identity Source Mapping will not be triggered.

I have this working, but am looking if there are other/better ways to accomplice the same.

The way I have set it up right now:
In the Identity Attribute Mapping I added an Application Rule as Source Mapping.
The content of the rule is:

  import sailpoint.tools.Util;

  String linkAttribute = link.getAttribute("JobName");
  String identityAttribute = identity.getStringAttribute("jobName");

  if (Util.isNullOrEmpty(linkAttribute  )) {
    if (Util.isNotNullOrEmpty(identityAttribute )) {
      identity.setAttribute("jobName","");
      context.saveObject(identity);
      context.commitTransaction();
    }
  }

  return linkAttribute;

Please provide any advice/thought on this approach or discuss why another options would be better :slight_smile:

– Remold

1 Like

Wouldn’t simply returning null from the rule in turn null out the identity attribute if it previously had a value? Pretty sure this is how I have always done it.

I also would not recommend saving the identity object with context in this rule. It should just be returning the value for the given identity attribute. Let the refresh process running update the identity properly.

1 Like

I did some testing in my lab-environment (with App Attribute, App Rule, Global Rule) and you are correct @patrickboston :slight_smile:

I have seen issues with emptying identity attributes.
The only way I could reproduce IIQ not emptying the attribute (deleting the attribute) is: If the AttributeMetadata for the attribute is incorrect or not available, the value is not removed. However this is more an issue with the AttributeMetadata and not with IIQ not emptying the attribute :wink:

– Remold

Ah, yes I’ve run into that as well when switching from direct mappings to rules or vice versa. Only way around that is to write a task to go and clear all identity attribute metadata for that specific attribute so the new mapping takes effect.

1 Like

Yeah, there’s an issue (bug?) in IIQ when you do that. If the attribute was derived from a Link, the AttributeMetadata will only allow the attribute to be cleared if it’s blanked out by that Link. If the Link itself just disappears, e.g., via aggregation delete, then the value can never be nulled out by a Link mapping.

IIQ will always run a Global Rule, because it’s not tied to a particular Link.

The other problem is that IIQ interprets “null” in an identity attribute rule to mean “no value from this, move along”.

I usually create a generic rule called “Return Empty String” which returns “” (explicitly non-null) and map it last. That always works.

2 Likes

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.