CSV Delimited Source Multiple Multi-Valued Entitlements

Identity Security Cloud (ISC) ISC Discussion and Questions
, ,
1

I am trying to understand the correct formatting guidelines for delimited sources that have muiltiple multi-valued entitlements.

Based on the documentation when handling a single multi-valued attribute, you’re supposed to preformat the results to enumerate each item and duplicate the rest of the information, but what if there’s multiple multivalued attributes?

There’s different logical approaches to this problem, but we’re trying to understand the correct scope to ensure optimization and consistent results with all of the subprocessing within ISC to ensure entitlements are aggregated appropriately along with the correlation of those entitlements for each account.

So far we’ve identified the following possible solutions, but can’t decide which is best (ideal) for this use case and what ISC requires from a file-structure and multi-valued attribute approach.

Import Option A: Repeated items out-of-order

Email Address Roles Teams Comments
userA@ex.com Role-A Team-A
userA@ex.com Role-A Team-B
userA@ex.com Role-A Team-C
userA@ex.com Role-A Team-D
userA@ex.com Role-B Team-A # Teams repeated
userA@ex.com Role-B Team-B # Teams repeated
userA@ex.com Role-B Team-C # Teams repeated
userA@ex.com Role-B Team-D # Teams repeated

Import Option B: Repeat previous value

Email Address Roles Teams Comments
userA@ex.com Role-A Team-A
userA@ex.com Role-B Team-B
userA@ex.com Role-B Team-C # More Teams than Roles
userA@ex.com Role-B Team-D # More Teams than Roles
userB@ex.com Role-A Team-B
userB@ex.com Role-B Team-B # More Roles than Teams
userB@ex.com Role-C Team-B # More Roles than Teams

Import Option C: Structured to not repeat values

Email Address Roles Teams Comments
userA@ex.com Role-A Team-A
userA@ex.com Role-B Team-B
userA@ex.com Team-C # stop at Role-B
userA@ex.com Team-D
userB@ex.com Role-A Team-B
userB@ex.com Role-B # stop at Team-B
userB@ex.com Role-C
1 Like
2

You could use a different delimiter such as a Pipe symbol “|” for multiple values. This way you have one row per Identity record. You would need a transform for each attribute that is allowed to have multiple values. With a velocity script you could parse the data out.

{
  "attributes": {
    "pipeDelimitedString": "apple|banana|cherry|date",
    "value": "#set($fruits = $pipeDelimitedString.split('\\|'))$fruits[2]"
  },
  "type": "static",
  "name": "Pipe Delimited Split Example"
}

If one attribute / column is jobCode and you need to use it for role membership criteria, as part of the transform you could encapsulate the different jobCode values In squirly braces “{}”. Example: 504|503|509 could be transformed to an all job codes IDN attribute as {504}{503}{509}.

3

Following this:

I"m not sure transforms are relative to Entitlement aggregations. Or at least the Create Account profile and mapping identity attributes.

In this case, I have an export from the application (non-authoritative), but need to format the data prior to importing the file, and understand the correct way to enumerate multiple multi-valued entitlements for the accounts.

4

Uhggg, sorry totally missed this is for entitlements.

1 Like
5

Since you have control of the data file, another option that you might try is using the SQL Loader connector. While this connector does have some limitations, you should be able to have your entitlements separate from your users and combine them with a sql query.

For example:
USERS.CSV
FirstName, LastName, Login
User, A, userA@ex.com
User B, userB@ex.com

TEAMS.CSV
Login, Team
userA@ex.com, TeamA
userA@ex.com, TeamB
userB@ex.com, TeamC
userB@ex.com, TeamA

ROLES.CSV
Login, Role
userA@ex.com, Role-B
userA@ex.com, Role-C
userB@ex.com, Role-A
userB@ex.com, Role-D

Then you could make a select statement like:
select FirstName,LastName,Login,Teams,Roles
from users,teams,roles
where users.login=teams.login and users.login=roles.login.

Alicia

3 Likes
6

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.