How to access account attributes data in JDBC connnector rule?

Identity Security Cloud (ISC) ISC Discussion and Questions
, ,
1

Hi! I am developing a JDBC provisioning rule. I could get the account data in the create plan operation. However, at the modify plan operation, account.getAttributeRequests returns only the id of the entitlement being modifying. I only have acces to IDN uid through the plan.getNativeIdentity method, however, this application has a different login.

Insert statement should be (app_login, entitlement_id).

getArgs() and getArguments() is deprecated and returns null. Is some way to obtain account fields like in create operation?

PS: I have a workaround asking client to add a column with IDN login value, but this should be my last plan.

2

Hi @jsosa

You cannot access data that is not there in Plan/AccountRequest in connector Rule as you cannot connect to the cloud data.

You need to manage this in Before Provisioning Rule which is cloud Rule and can query the database.

Thanks
Krish

3

Hi @MVKR7T thank you for your response. My problem is that the information I need at Modify operation is on IDN, not in database.

I am needing 2 fields from IDN application account to get, for example, database user id, in order to insert an entitlement (userid, entid, othervaluefromRH). I could add them to the identity profile, but still should need to access IDN identity attributes.

How can I query them from a Before Provisioning Rule?

4

Hi @MVKR7T I found that I was looking in the wrong place. I thought that it should be part of the connector rules like the web services BP rule, but you were talking about the cloud rule. I will give it a try as It is my first time using it.

Thanks!

5

If I understood correctly,

Where do you have these fields ?

  • In application object ?

  • In Identity object ?

  • In Link/Account object ?

I believe you are using JDBC Provision Rule which is connector level. Do you have the object as input to the Rule ? If yes then you can get the data.

Let us say that data is in application object, you have it as an input. So you can get the attributes.

image
image1036Γ—344 24.9 KB

In case if these attributes are in identity object, you don’t have entire identity as input here. So, you need to build identity object which is nothing but querying IDN DB. You cannot query the IDN DB from connector Rules, you can do only through cloud Rules. That is where you get the need of Before Provisioning Rule.

Thanks
Krish

6

Hi @MVKR7T thank you very much for always being there!

Looking the cloud rule, it brought me an idea that worked fine without using the BP cloud rule. It works fine for me, I will share so it remains here for other to use.

First thing is that the Before Provisioning cloud rule comes with a message that establish that it should be not used to add attributes to plan, so they suggest to use a create provisioning policy instead:

image
image1103Γ—242 24.4 KB

This is when I have the idea of see what happens if I use an UPDATE provisioning policy, and then account attributes begging to appear at the Modify Operation level in the rule.

So first thing I did is call the GET to obtain the CREATE provisioning policy:

image
image1025Γ—706 63.3 KB

Then I simply paste the same code, changing usageType to UPDATE:

image
image707Γ—534 37.3 KB

Some weird thing I noticed, is that fields that has the identity attribute direct transform does not apper in the Modify Operation, other accoun attributes with static transform, or other transform (I had a random number transform) indeed appears when Modify Operation occurs.

So as a workaround, in the CREATE provisioning policy (the Create Account in the UI), I mapped some XXX attribute with the desired Identity attribute, and then use the Account Attribute transform in the UPDATE provisioning policy:

image
image1132Γ—817 73.1 KB

Now, before entering the operation evaluating plan, I create a Map with account attribute/value like this:

Map accountAttributes = new HashMap();
List attributesRequestList = account.getAttributeRequests();
Iterator attributesRequesIterator = attributesRequestList.iterator();
while (attributesRequesIterator.hasNext()) {
	AttributeRequest attributeRequest = (AttributeRequest) attributesRequesIterator.next();
	log.warn("attribute##" + attributeRequest.getName() + "##" + attributeRequest.getValue() + "##" + attributeRequest.getDisplayValue());
	accountAttributes.put(attributeRequest.getName(), attributeRequest.getValue());
}

if (AccountRequest.Operation.Create.equals(account.getOperation())) {
........................................................

Finally, I just revised Map and found the value I needed:

image
image930Γ—249 43.7 KB

On log, when adding an entitlement:

image
image717Γ—285 35.3 KB

1 Like
7

I add a patch to previously post. I realized that not all attributes come, because only comes updated attributes. At some moment, only saw the attribute that contains the random number transform.

So I figured out an update to last provisioning policy to bring account/identity attributes. I simply generated the desired account attribute (which holds the identity attribute), concatenated with an β€œ-” and a random number. Then, this attribute comes with every operation:

image
image607Γ—812 47.1 KB

image
image825Γ—122 20.6 KB

8

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.