How to print oldValue - log in the sailpoint.log IdentityAttribute

Which IIQ version are you inquiring about?

Version 8.3

Is this question regarding a custom connector? If so, please share relevant details below.

No, this question is not regarding a custom connector.

Share all details related to your problem, including any error messages you may have received.

Dear Community,

I would like to get more inside about oldValue variable in the rules. In the pdf “Rules in identityIq” page 105-106 section IdentityAttribute
https://community.sailpoint.com/t5/Technical-White-Papers/Rules-in-IdentityIQ/ta-p/78176

also how can i used and printed

oldValue refers to the current value for that attribute.

HR system will update the attribute value in case if any.

For any reason, if you don’t want to update the attribute then you can return oldValue only.

For example, you have developed an IdentityAttribute Rule for lastName attribute. if there is a change in lastName, you can create an audit event for that. Anyway we have value change Rule for that in Attribute mappings.

String lastName_Old =oldValue.toString();

String lastName_new = link.getAttribute("lastName");

if (! lastName_Old.equalsIgnoreCase(lastName_new)) {
/* Audit event or any other logic
*/
}

I haven’t come across any real time usecase here. I use to implement in value change Rule for auditing.

Preserving old value for any reason, I haven’t seen that in real time usage.

@MVKR7T thank you for your answer, I have a rule example, its ok apply in this way? how can print oldValue

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Rule PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<Rule language="beanshell" name="Status Target Mapping Rule" type="IdentityAttributeTarget">
   
    <Source><![CDATA[
            import sailpoint.object.Identity;

            boolean status = identity.isInactive(); 

            if (status) {
                return "I";//Inactive
            } else {
                returnValue = oldValue;// return "A";
            }
        ]]></Source>
</Rule>

So here if status is active, its going to return oldValue = A?

what table in iiq is store that varialbe?

Your question is about IdentityAttribute Rule not IdentityAttributeTarget.

IdentityAttribute is used for source mapping - to read data into SailPoint

IdentityAttributeTarget is used for target mapping - to send data to target app

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Rule PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<Rule language="beanshell" name="Lastname Identity Attribute Rule" type="IdentityAttribute">
   
    <Source><![CDATA[
            return oldValue.toString();
        ]]></Source>
</Rule>

Add this Rule to your lastName identity attribute source mapping. Change lastName for some users in your HR application, run aggregation and refresh.

Check in identity, lastName will not be updated as we are returning oldValue (current value).

1 Like

The ‘IdentityAttribute’-Rule is used during SourceMapping from an application account (Link, for instance the HR source account) to an attribute on the identity-cube if it is set as Application Rule. This will run during the identity refresh phase of the Aggregation Task for that Application (and during IdentityRefresh with option ‘Refresh identity attributes’ enabled)
image

It can also be used as a Global Rule in the SourceMapping ro an attribute on the Identity-cube, where it is not tied to an application. It will run each time there is a refresh on the identity (each aggregation task and during IdentityRefresh with option ‘Refresh identity attributes’ enabled). An example might be to count the number of accounts an Identity has and put that number in an attribute.
image

The value returned by the ‘IdentityAttribute’-Rule will be put as value of the attribute on the identity-cube. The ‘oldValue’ available in the rule is the value of the attribute as it was set before the rule runs. It is just extra information which can be used within the rule. If the attribute value should not change (for whatever reason), the oldValue should be returned the ‘IdentityAttribute’-Rule.

Take a look at the sequence diagram. The ‘IdentityAttribute’-Rule runs in the part of the Source Mapping.

– Remold

@MVKR7T thank you for your answer just to refined the code you share i put it all together, because I didnt get the part of “Audit” , so its also ok return the new value else keep the oldValue

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Rule PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<Rule language="beanshell" name="Lastname Identity Attribute Rule" type="IdentityAttribute">

    <Source><![CDATA[
              String lastName_Old =oldValue.toString();

            String lastName_new = link.getAttribute("lastName");

            if (!lastName_Old.equalsIgnoreCase(lastName_new)) {
                /* Audit event or any other logic*/
               return lastName_new;
            }
            else{
             
                return oldValue.toString();
            }

        ]]></Source>
</Rule>

Hi Sara,

You might want make sure the rule is NPE (NullPointerException) safe:

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Rule PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<Rule language="beanshell" name="Lastname Identity Attribute Rule" type="IdentityAttribute">
<Source><![CDATA[
  import sailpoint.tools.Util;

  String lastName_new = link.getAttribute("lastName");
  if (oldValue == void || oldValue == null || !oldValue.toString().equalsIgnoreCase(lastName_new)) {
    /* Audit event or any other logic*/
    return link.getAttribute("lastName");
  }
  return oldValue.toString();
        ]]></Source>
</Rule>

– Remold

1 Like

Hi @Remold thank you for your answer in the part “oldValue == void” I see as error

its gone is I add void.class maybe is because my intellij dont work well with the language injection

The == void is a specific Beanshell test and is not recognized by IntelliJ.

I added it only for completeness, but can be removed if you please.

– Remold

1 Like

we use loggers to print the data.

Configure Log4j in your environment.

Then you can add below lines based on your log level.

log.error("old value::" + oldValue.toString());

or

log.debug("old value::" + oldValue.toString());

1 Like

I add the log but i dont see it in the tomcat console, should I enable in the log4j.properties? I dont see the logs

enable this:
#logger.idRefreshExecutor.name=sailpoint.task.IdentityRefreshExecutor
#logger.idRefreshExecutor.level=trace

The log.error() function should be shown in the log files, if the log4j2.properties is configured to write to a log files.

Look in the log4j2.properties file for something like:

  • appender.file.fileName=/opt/tomcat/logs/sailpoint.log
    and
  • rootLogger.appenderRef.stdout.ref=file

Logging should not go to the catalina.out nor the tomcat logs.

Please read the article Logging and Auditing for more information on logging.

– Remold

1 Like

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.