Create Unique Account ID Generator - Pattern for uppercase?

cstepp · March 20, 2024, 9:58pm

I am attempting to use the Create Unique Account ID to generate an attribute on a connector’s Create Account config. I am using the pattern shown below but I need the division to be uppercase. Is there a way to do this from within the pattern used field?

USER_$(division)_$(jobCode)

brennenscott · March 20, 2024, 11:02pm

Hey @cstepp, please see my notes below.

Primary Solution - Upper Transform

Have you considered utilizing the built-in ToUpper transform for the attributes within the Identity Profile for both Division and Job Code? This will display these values in all uppercase in the Identity Details page and can be used that way with your existing configuration.

If you do not want to configure this in the Identity Profile, see below for an alternative solution.

Alternative Solution - Username Generator Transform

You can use the Username Generator tansform/rule for the Create Profile. An example that may meet your needs is below:

Example

{
    "name": "YOUR ATTRIBUTE NAME HERE",
    "transform": {
        "type": "usernameGenerator",
        "attributes": {
            "sourceCheck": true,
            "patterns": [
                "USER_$division_$jobCode"
            ],
            "division": {
                "type": "upper",
                "attributes": {
                    "type": "identityAttribute",
                    "attributes": {
                        "name": "division"
                    }
                }
            },
            "jobCode": {
                "type": "upper",
                "attributes": {
                    "type": "identityAttribute",
                    "attributes": {
                        "name": "jobCode"
                    }
                }
            }
        }
    },
    "attributes": {
        "cloudMaxUniqueChecks": "5",
        "cloudMaxSize": "100",
        "cloudRequired": "true"
    },
    "isRequired": false,
    "type": "",
    "isMultiValued": false
}

As you can see, we have defined our attributes within this transform code and nested the identity attribute within the upper transform operation. This will pull these attributes from the identity and change all characters to uppercase.

Implementation & Outcome

This would be applied in your CREATE profile for the source. This cannot be added via the UI and must be added via the API utilizing the /v3/sources/:id/CREATE method and endpoint (See this link for more information).

Once you apply this transform, you will no longer see the patterns you provided in the Create Account UI. Instead, you will see “Custom Transform” like the following:

Important

The Username Generator transform can only be used in the Create Profile for the attribute identified as the Account ID; it will not work for other attributes. This solution may not be right for you. Feel free to reply and provide additional information as needed.

iamology · March 21, 2024, 1:13pm

If this is to be applied on an attribute that is not marked as Account ID in the account schema and it does not have to be unique, you can use a custom transform to populate the string in upper case.

cstepp · March 21, 2024, 2:19pm

Primary Solution - changing it on the identity profile is not an option unfortunately

Alternative solution - This attribute is not the Account ID. If this can’t be done in the UI with the pattern field, sounds like I’ll need a custom transform. Will the same basic structure you provided for the usernameGenerator work with a different transform type?

brennenscott · March 21, 2024, 4:48pm

Iamology brings up a good point. Below is a matrix displaying the appropriate option based on the conditions of this attribute and its generation/maintenance.

Matrix

	Unique Attribute	Non-Unique Attribute
Attribute Sync	Rule	Identity Attribute
No Attribute Sync	1. Unique LDAP Attribute Generator 2. Rule	Static Transform

Attribute Sync Explanation

One important component mentioned in this matrix above is Attribute Sync. This functionality ensures that attributes that are updated in an Identity are reflected in downstream systems and the corresponding attributes at the time the attribute is updated, as well as on a periodic refresh and check. This is a common configuration where organizations want to ensure that, should a user’s job title, department, office location, description, etc. change, the change reflected in the Identity Attributes also reflects in downstream systems. Attribute Sync accomplishes this.

Attribute Sync Caveat

Attribute Sync can be configured in the source configuration page underneath the Create Account button.

Important

Attribute Sync can only be configured for attributes in the Create Account Profile that are using Identity Attribute as the source. It cannot be used for any attributes that use a Generator or Static attribute. Attributes will only show up in the Attribute Sync menu if they have been configured with an Identity Attribute in the Create Account Profile.

Primary Recommendations

Based on our discussion, I have a couple of recommendations. Based on the attribute requirements you provided, I am assuming this value for the user does not need to be unique.

If you need the attribute to be updated whenever a user’s division or job code change, you will need to use Attribute Sync. This means you should create a new Identity Attribute that will hold the USER_DIVISION_JOBCODE value in all uppercase. You can then map this identity attribute to the account attribute and enable Attribute Sync.
If you do not need the attribute to be updated, if this is a very uncommon use case, or if you do not want this attribute to be displayed in the identity details itself, you should use a Static Transform as seen below.

Static Transform

As long as you do not need the attribute to be synchronized, and the attribute does not need to be unique, you can use the Static transform. Below is the Static transform you may want to use within the Create Profile.

Static Transform - No Conditional Logic

{
    "name": "YOUR ATTRIBUTE NAME HERE",
    "transform": {
        "type": "static",
        "attributes": {
            "division": {
                "type": "upper",
                "attributes": {
                    "input": {
                        "type": "identityAttribute",
                        "attributes": {
                            "name": "division"
                        }
                    }
                }
            },
            "jobCode": {
                "type": "upper",
                "attributes": {
                    "input": {
                        "type": "identityAttribute",
                        "attributes": {
                            "name": "jobCode"
                        }
                    }
                }
            },
            "value": "User_${division}_${jobCode}"
        }
    },
    "attributes": {},
    "isRequired": false,
    "type": "string",
    "isMultiValued": false
}

This static transform will pull the necessary attributes from the Identity and then convert them to uppercase.

How this appears in the UI

You will only see the contents of the value attribute here.

Summary

If you need Attribute Sync and a Unique Attribute, you will need to implement a Rule.
If you need Attribute Sync but do not need the attribute to be unique, you can use an Identity Attribute (we already covered this will not work for you unless you specifically created a new Identity Attribute that contains the USER_DIVISION_JOBCODE value for the user. That may be a valid approach).
If you do not need Attribute Sync and the value must be unique, you can use the Unique LDAP Attribute Generator (this also will not work for you because we do not have the uppercase attributes to use). Or you can create a Rule.
If you do not need Attribute Sync and you do not need the value to be unique, you can use a Static transform within the Create Profile.

iamology · March 21, 2024, 4:51pm

I guess this should be written as User_${division}_$jobCode

brennenscott · March 21, 2024, 5:33pm

You are correct! I missed that.

You actually don’t need to enter curly braces for the variables in the Static transform; the variables will be rendered appropriately without them, as long as they are by themselves and not next to other text.

So, because there is text next to it in this case, you are correct; it would be appropriate to provide the curly braces.

Thanks for correcting this for me !

It should be User_${division}_${jobCode} or User_${division}_$jobCode. I corrected this in my original post.

cstepp · April 5, 2024, 3:15pm

Thanks @brennenscott and @iamology for all the detailed information. We went with the transform on this.

system · June 4, 2024, 3:16pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Account Generator Issues ISC Discussion and Questions identity-security-cloud , provisioning	7	252	March 3, 2024
Generating Unique name using uniqueCounter ISC Discussion and Questions	5	1731	July 19, 2023
Active Directory DistinguishedName Generation in Create Profile ISC Discussion and Questions transforms , identity-security-cloud	11	304	August 9, 2024
Account ID Case Sensitivity ISC Discussion and Questions webservice-connector , apis , aggregation , identity-security-cloud	9	331	July 15, 2024
Generate Unique Active Directory AccountID using Multiple Patterns ISC Discussion and Questions rules , identity-security-cloud , provisioning	4	590	May 14, 2024