Hi all, we are having an issue with coding a particular transform.
We need to set a missing attribute in a target directory system using a transform within the provisioning policy (which we’ve customised and is working with a static value)
We need to change this to a dynamic value now. This value need to come from the entitlement being provisioned within the access profile that is being requested.
What object and attributes can we reference and code to achieve this?
Clearly a more detailed documented reference guide for Transforms is much needed. Posting on forums for this should really be a last resort since it’s slower and less efficient for all parties involved. We pushed for the same type of guide when developing JDBC Provisioning Rules and we got it in the form of this Java Docs | SailPoint Developer Community
Hey Richard, first and foremost, welcome to the developer community! You are absolutely right about deeper guides and documentation around Transforms being needed. Good news is that new and updated docs is coming
While we wait for someone else much smarter than me to help you out in the short term, I have some questions to help me out on the docs, if I may.
Have you gone through the transform docs that exist today? If so, where in those docs would you have expected to find them?
Do you feel you would have found this exact scenario in the docs, or do you feel enough foundational education would exist that you would have concluded this solution from that?
We are looking at adding many new areas of developer documentation next quarter, and your responses would be a great help!
This explains how to reference the $identity object, but the documentation isn’t comprehensive enough. What other objects (and their attributes) can we access here?
Architects and developers need a full class library reference guide for transforms and other areas that can be coded (like the Java Docs example, otherwise we’re trying to construct solutions with pure guess work.
Re Q2, yes if the full class library reference guide was included here I’d definitely had found it and it would have covered my scenario.
This is incredibly detailed feedback—I cannot thank you enough for this!
You should consider participating in our Ambassador Program. I’d love to award you some points for this feedback. We take the time to reward you for detailed contributions that help us improve, just like this!
We’d like to obtain the entitlement value that is being provisioned so we can set the groupMembership attribute value in the target LDAP directory.
Unfortunately this is not being set by the OOTB connector.
Kindest regards,
Rich
p.s. It may also be useful for us to code the transform conditionally but we should be able to do this using the correct velocity logic - once we know what object and attribute variables we can reference.
It should be fixed at connector level mapping, you need to check why attribute value is not getting populated when you request for Role/AccessProfile/Entitlement.
For example, when we request for AD, entitlement is memberOf (Gorup). We get the group value irrespective of what you request, either Entitlement or Access Profile or Role.
Coming to other question, requested access (Entitlement/AccessProfile/Role) will not be available at Provisioning Policy form. It will be available for you in Before Provisioning Rule through Provisioning Plan object.
Transforms are used in Identity Profile and Provisioning forms. Identity, Link and Application objects are accessible at Identity Profile and Provisioning forms, so the same objects can be referenced in Transforms.
