Change in behavior with Account Attribute transform

Identity Security Cloud (ISC) ISC Discussion and Questions
,
1

We wrapped all Account Attribute transforms in a first-valid to suppress errors when the account attribute didn’t exist. I confirmed this was needed with an AAA session as I was surprised it was necessary.

We noticed that the behavior has now changed and the Account Attribute transform no longer throws an error for either a missing account, an empty attribute value, or even an invalid attribute.

Anyone know the story here? Has this changed, what should we be doing?

We designed many transforms that took advantage of the fact an error was thrown, now the logic is broken across many transforms.

2

Hi @josephcasale ,
It appears that when you added the firstValid transform, a static value was passed to the counter for null or invalid entries. This behavior is expected. However, if your intention is to display a message or error when a null value is encountered, you can accomplish this by incorporating a static transform. You may also consider adding an if-else condition; for instance, if the value is “None,” you can print an “Invalid value” message, or similar.
In this way you can search those values using ISC search functionality also using search queries.
Let me know if I have misunderstood something here

3

Hi @gourab
I don’t quite follow you, below is an example of the pattern we use:

{
    "name": "My Transform",
    "type": "firstValid",
    "attributes": {
        "requiresPeriodicRefresh": true,
        "ignoreErrors": true,
        "values": [
            {
                "attributes": {
                    "sourceName": "My Source Name",
                    "attributeName": "department"
                },
                "type": "accountAttribute"
            },
            ""
        ]
    }
}

We had noticed that if we just directly used the accountAttribute transform and no value was present, an error was thrown.

This pattern suppressed that.

My new observation is that no error is now thrown under any circumstances.

4

Hi @josephcasale
You can try like this:

{
    "id": "xxxxxxxxx",
    "name": "My Transform",
    "type": "static",
    "attributes": {
        "dept": {
            "attributes": {
                "values": [
                    {
                        "attributes": {
                            "attributeName": "department",
                            "sourceName": "My Source Name"
                        },
                        "type": "accountAttribute"
                    },
                    "none"
                ]
            },
            "type": "firstValid"
        },
        "value": "#if($dept.equals('none'))Dept_is_Null#{else}$dept#end"
    },
    "internal": false
}

In this way if the value is an empty value , it will not through error but from search you can search for those identities who have “Dept_is_Null” (or any other custom msg you want) in their identity attribute department

Note: I have not tested the transform

5

Do you know any details regarding the behavior of the account attribute transform and it’s error handling semantics?

As I mentioned, it appears to have changed and I hoping to confirm.

6

Hi ,
I don’t have any error handling semantics.
Your transform will not throw error because you have wrapped it with firstValid and also you have set “ignoreErrors”: true in your transform.
See below documentation: First Valid | SailPoint Developer Community

image
image887×778 58.6 KB

7

Hi @gourab,
We traced this initial decision back to an administrators erroneous decision based on a typo in the source name (which does throw).

I can confirm that the account attribute transform does not throw an error when the attribute or it’s values does not exists, it just returns an empty value.

8

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.