How to modify account request attributes in connector execution rule

We have created a before create rule in for AD connector using connector execution rule to call the external APIs and we are able to achieve this. However, we are not able to set the value for one of AD account. Can anyone help us on this.
Thanks
Narendra

I suppose you are trying to update sAMAccountName here (based on notes from your other post)…

Can you please share any Errors logged by the VA or IQService?

Hi @iamnithesh
I am trying to find for a method to update samaccountname which I couldn’t. So there are no logs for that

@colin_mckibben any thoughts on this, can we use before creation rule of connector execution rule to update the samaccountname, distinguished name of AD connector?

Hey Narendra,
Can you share the before creation rule ? How are you setting the samAccountName and DN in it ?

Hi @RAKGDS ,
Below is the code that we are using to update the attributes, and we are calling external APIS to get the secureID

foreach ($attribute in $requestObject.AttributeRequests) {
             if($attribute.name -eq "sAMAccountName"){
             $attribute.value= "$($***********)";
             }
            
             if($attribute.name -eq "userPrincipalName"){
             $attribute.value= "$($*******)@corpitsvcs.com";
             }

Also, I have followed the default thing that is mentioned below

Can you try to print the request again to see the attribute is getting set?

I can see from the logs that the updated values are printed

we have been able to write after creation rule as suggested by SailPoint to update samaccountname, and it is being executed successfully as well. However, Samaccountname is not getting updated. Any thoughts on this is much helpful. we have used below command to update samaccountname.
get-aduser -Identity givenName | set-Aduser -samaccouname $NewValue

We did something similar with email addresses. Below are the main parts of our Powershell script that should be helpful for your use case. Just replace the mail references with samAccountName as needed.

# Get original value passed to Powershell script from BeforeCreate rule
$originalMailAttributeRequest = ""
  foreach ($attribute in $requestObject.AttributeRequests){
    $attributes[$attribute.Name] = $attribute.Value;
    # Save the original mail attribute object to be replaced later
    if ($attribute.Name -eq "mail") {
      log -message ("Original mail XML: " + $attribute.toXml())
      $originalMailAttributeRequest = $attribute
    }
  }


# Generate new AttributeRequest
$newMail = "[email protected]"
$newMailAttributeRequest = New-Object SailPoint.Utils.objects.AttributeRequest
$newMailAttributeRequest.Operation = "Add"
$newMailAttributeRequest.Name = "mail"
$newMailAttributeRequest.Value = $newMail

# Remove the old AttributeRequest
$requestObject.AttributeRequests.Remove($originalMailAttributeRequest);
log -message "Request Object after removal: " + $requestObject.toxml()
# Add in the new AttributeRequest
$requestObject.AttributeRequests.Add($newMailAttributeRequest)
log -message "Request Object after addition: " + $requestObject.toxml()


# Return New AttributeRequest in requestObject to IQService
$requestObject.toxml() | out-file $args[2];

Hi @zachm117
Thanks for the response
Does this works for after create rule. If yes, what should we pass in $args[2]

Hi @bkumar592

Yes, this could work for an afterCreate rule also, you would just be modifying the resultObject instead of the requestObject.

I had forgotten to update $args[2] on my last post. This is the file path/location where the objects are being stored and references by the IQService. So in the before create rule (to keep in like with my previous example), your rule would include something like this:

    # Read in the temp file path to write the final modified request object to
    $outFile = $args[0]

    & "C:\SailPoint\IQService\BeforeCreateScriptExample.ps1" $outFile

This passes the temp file path location used by the IQservice, the value in $args[0], to the Powershell script.

The Powershell script would then look more like this:

$requestOutFile = $args[0]

# Get original value passed to Powershell script from BeforeCreate rule
$originalMailAttributeRequest = ""
  foreach ($attribute in $requestObject.AttributeRequests){
    $attributes[$attribute.Name] = $attribute.Value;
    # Save the original mail attribute object to be replaced later
    if ($attribute.Name -eq "mail") {
      log -message ("Original mail XML: " + $attribute.toXml())
      $originalMailAttributeRequest = $attribute
    }
  }


# Generate new AttributeRequest
$newMail = "[email protected]"
$newMailAttributeRequest = New-Object SailPoint.Utils.objects.AttributeRequest
$newMailAttributeRequest.Operation = "Add"
$newMailAttributeRequest.Name = "mail"
$newMailAttributeRequest.Value = $newMail

# Remove the old AttributeRequest
$requestObject.AttributeRequests.Remove($originalMailAttributeRequest);
log -message "Request Object after removal: " + $requestObject.toxml()
# Add in the new AttributeRequest
$requestObject.AttributeRequests.Add($newMailAttributeRequest)
log -message "Request Object after addition: " + $requestObject.toxml()


# Return New AttributeRequest in requestObject to IQService
$requestObject.toxml() | out-file $requestOutFile;


The Powershell script received the variable (file path) from the rule, $args[0], and stores it in $requestOutFile. Once the necessary changes are done to the requestObject (or the resultObject for the AfterCreate rule), the Powershell script overwrites the original file in the defined path with the new requestObject.

Please let me know if this helps!

  • Zach

Thanks @zachm117 for the help.
Our case got resolved by not calling any powershell script through. however, all the code we have written is in the rule under the script section and we have used the default script that has been written as an example in the rule section.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.