We are writing ISC identity attribute cloud rule and want to return value based on the attribute for which the rule is called. for example, if the rule is called for identity attribute ‘email domain’, then the rule should return email domain and for ‘secondary email domain’, it should return ‘secondary email domain’ based on few calculations.
However, I am unable to get the name of identity attribute for which the identity attribute rule is called.
In SailPoint ISC Identity Attribute Rules, there is no direct built-in argument that tells you which identity attribute is calling the rule.
Identity Attribute Rules in ISC are invoked per attribute, and each invocation is isolated. SailPoint does not pass the target attribute name (e.g., email domain) into the rule context automatically.
Recommended Solutions:
1. Create a Separate Rule Per Attribute (Best Practice in ISC)
This is the most straightforward and ISC-compliant method:
Define separate rules for each attribute in the Identity Profile (e.g.):
emailDomainRule → assigned to email domain
secondaryEmailDomainRule → assigned to secondary email domain
This avoids conditional logic inside a single rule and makes it easier to manage and debug.
@dheerajk27 Thank you very much for you quick reply. I agree with your suggestion. However, we are having same logic (search the account by native identity and return value for these attributes from the source account) to get value for 5 different attributes.
Is there a way we can write a generic rule where we will search the account first and return the value depending upon the calling attribute ?
@JackSparrow The requirement is to build the nativeIdentity using identity attribute companyNumber + DeprtmentNumber, search the account using nativeIdentity and return the value. Would it be possible to achieve this using a transform ?
The Velocity template context for identity attribute transforms includes an attributeDefinition variable that can be used to get the name of the identity attribute being evaluated. The following velocity expression will return the technical name of the identity attribute: $attributeDefinition.getName().
The following transform example would provide this in a variable named identityAttributeName to the Beanshell namespace of your rule:
@nsorlien Thank you very much for your valuable inputs. This will make the transform generic.
I do have one more follow up question. Currently, I am using identity attribute rule and successfully able to call it using transform. However, the rule validator throws an error “could not retrive the deifinition of variable identiyAttributeName”.
Is it possible to inject a variable to Identity Attribute rule ?