Condition in Transform is not working

ashish_kumar3284 · June 2, 2023, 3:14pm

Happy Friday!!

I am using the below transform in the create provisioning policy. Syntactically, it is correct and not throwing any error during execution. But, it is not working as expected. It should pass a blank value on not meeting the if condition.

"transform": {
                "type": "static",
                "attributes": {
                    "emplType": {
                        "attributes": {
                            "name": "employeeType"
                        },
                        "type": "identityAttribute"
                    },
                    "managerDN": {
                        "attributes": {
                            "name": "adManagerDn"
                        },
                        "type": "identityAttribute"
                    },
                    "value": "#if($emplType==\"internal-primary\")$managerDN#{else}#end"
                }
            }

Though, I tried to use another transform with a type conditional. Below is the transform:

"transform": {
            "type": "conditional",
            "expression": "$emplType eq internal-primary",
            "positiveCondition": "$managerDN",
            "negativeCondition": null,
                "emplType": {
                    "attributes": {
                        "name": "employeeType"
                    },
                    "type": "identityAttribute"
                },
                "managerDN": {
                    "attributes": {
                        "name": "adManagerDn"
                    },
                    "type": "identityAttribute"
                }
        }

Could you please help what I am doing wrong in this?

Thanks & Best Regards,
Ashish Kumar

ethompson · June 2, 2023, 5:28pm

@ashish_kumar3284 Can you show an example of a user where the employeeType is ‘internal-primary’ and the manager is not set to null? Can this logic be added to the managerDN transform so that the provisioning policy is just a direct Identity Attribute mapping?

ashish_kumar3284 · June 2, 2023, 7:11pm

@ethompson

Manager is getting set in both cases. We want the manager’s value should not to be set in the negative condition.

No, logic could not be added to “managerDN” transform as we want to populate manager value on Identity but don’t get synced with the application.

ethompson · June 2, 2023, 7:31pm

I tried an example of an Identity Attribute so you can see the preview. With a version similar to what you started with:

{
    "name": "Condition Test",
    "type": "static",
    "attributes": {
        "location": {
            "type": "accountAttribute",
            "attributes": {
                "sourceName": "et HR",
                "attributeName": "location"
            }
        },
        "managerDN": "CN=Edward,OU=Users,DC=example,DC=com",
        "value": "#if($location == \"internal-primary\")$managerDN#{else}#end"
    }
}

I see the DN value when the user equals the value:

Null when they do not:

ashish_kumar3284 · June 9, 2023, 10:20am

@ethompson

Thanks for sharing the screenshots and working samples. But unfortunately, the same is not working in my case.

Is there any possibility that the conditions-based transform does not work in the provisioning policy of sources?

Thanks

colin_mckibben · June 12, 2023, 1:11pm

Does the positive condition work? What exactly happens during the negative condition?

ashish_kumar3284 · June 12, 2023, 1:23pm

Yes, it is working for the positive condition. During the negative condition, the manager is being set as it is being set during the positive condition.

colin_mckibben · June 13, 2023, 2:10pm

That tells me that the condition is always true. Either your input data always has the emplType of internal-primary, or there is some kind of syntax error in your code.

Try these two tests:

Set the output of your value to $emplType instead of $managerDn to see what value for emplType you are testing. This will verify whether you are actually testing the negative condition for emplType or if you are always getting a value of internal-primary.
The only difference that I can see between your code and Edward’s code is that Edward put spaces between his equal signs. I doubt that is an issue, but maybe this is resulting in an always true evaluation.
- Your code: #if($emplType==\"internal-primary\")
- Edward’s code: #if($location == \"internal-primary\")

ashish_kumar3284 · June 13, 2023, 2:49pm

@colin_mckibben

I have tested the same transform in the Identity mappings and it is working flawlessly. I was able to test both conditions and got the results same as Edward’s. But, the same transform is not working in the provisioning policy.

tyler_mairose · June 13, 2023, 3:31pm

Hello @ashish_kumar3284,

I tested the following code in one of my CREATE provisioning policies. The conditional will work, however it requires the negativeCondition to have a value and it cannot just be null.

{
  "name": "lastName",
  "transform": {
    "type": "conditional",
    "attributes": {
      "expression": "$emplType eq internal-primary",
      "positiveCondition": "$managerDN",
      "negativeCondition": "$empty",
      "emplType": {
        "attributes": {
          "value": "internal-primary"
        },
        "type": "static"
      },
      "empty": {
        "attributes": {
          "value": "test"
        },
        "type": "static"
      },
      "managerDN": {
        "attributes": {
          "value": "DNname"
        },
        "type": "static"
      }
    }
  },
  "attributes": {},
  "isRequired": false,
  "type": "string",
  "isMultiValued": false
}

With that being said the second method with a static transform worked in my provisioning policy. I tested it with static values instead of identityAttributes to simplify things. When I set the emplType to internal-primary, I got back the result DNName and any other value returned null. If you’re always getting back the positiveCondition I would agree with @colin_mckibben in that the emplType is always equal to internal-primary.

{
  "name": "lastName",
  "transform": {
    "type": "static",
    "attributes": {
      "emplType": {
        "attributes": {
          "value": "internal-primary"
        },
        "type": "static"
      },
      "managerDN": {
        "attributes": {
          "value": "DNName"
        },
        "type": "static"
      },
      "value": "#if($emplType==\"internal-primary\")$managerDN#{else}#end"
    }
  },
  "attributes": {},
  "isRequired": false,
  "type": "string",
  "isMultiValued": false
}

colin_mckibben · June 20, 2023, 1:57pm

@ashish_kumar3284 Have you tried @tyler_mairose suggestion? Did it work for you?

ashish_kumar3284 · June 22, 2023, 10:53am

@colin_mckibben

I have tried that way at the very beginning of my tests. Tried again as suggested but not working.

ashish_kumar3284 · June 23, 2023, 10:17am

I am trying to make it work with a different approach.

Thanks all for your valuable input and suggestions.

system · August 22, 2023, 10:18am

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Transform not working ISC Discussion and Questions	2	704	July 19, 2023
Provisioning Policy with Transform ISC Discussion and Questions transforms , identity-security-cloud , provisioning	3	219	February 17, 2024
Conditional transform working in sandbox but not production? ISC Discussion and Questions transforms , identity-security-cloud	13	492	July 19, 2023
Help with a transform ISC Discussion and Questions transforms , identity-security-cloud	11	283	January 1, 2024
Identity Attributes ISC Discussion and Questions transforms , identity-security-cloud	8	351	July 25, 2023

Condition in Transform is not working

Related Topics