How to test Before Provisioning Rule in Rule Development Kit?

Identity Security Cloud (ISC) ISC Discussion and Questions
,
1

:bangbang: Please be sure you’ve read the docs and API specs before asking for help. Also, please be sure you’ve searched the forum for your answer before you create a new topic.

Hi All,

I have created a Before Provisioning Rule for OU movement in LDAP connector. But i need to test the rule like we test the attribute generator rules by giving static values.

Can we gave sample provisioning plan to test the before provisioning rule? If so can anyone give me any idea or sample format for testing this.

Thanks,
Shantha Kumar

2

Shanta , the best way for me would be to test it using an IIQ environment.

Do you have it?

3

Hi @ipobeidi we don’t have the iIIQ environment is there any other way to test this rule?

4

Hey Shanta,

What exactly are you trying to achieve with you rule? maybe i can suggest a different approach

5

@Santhakumar you achieve OU movement by provisioning policy for modify and disable for leaver and enable for joiner

type [
    {
        "name": "Account",
        "description": null,
        "usageType": "CREATE",
        "fields": [
            {
                "name": "ObjectType",
                "transform": {
                    "attributes": {
                        "value": "User"
                    },
                    "type": "static"
                },
                "attributes": {
                    "cloudRequired": "true"
                },
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            },
            {
                "name": "distinguishedName",
                "transform": {
                    "attributes": {
                        "name": "Create Unique Account ID"
                    },
                    "type": "rule"
                },
                "attributes": {
                    "template": "CN=$(firstname).$(lastname)$(uniqueCounter),CN=Users,DC=SAILPOINT,DC=com",
                    "cloudMaxUniqueChecks": "50",
                    "cloudRequired": "true"
                },
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            },
            {
                "name": "sAMAccountName",
                "transform": {
                    "attributes": {
                        "name": "Create Unique LDAP Attribute"
                    },
                    "type": "rule"
                },
                "attributes": {
                    "template": "$(firstname).$(lastname)$(uniqueCounter)",
                    "cloudMaxUniqueChecks": "50",
                    "cloudMaxSize": "20",
                    "cloudRequired": "true"
                },
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            },
            {
                "name": "displayName",
                "transform": {
                    "attributes": {
                        "name": "displayName"
                    },
                    "type": "identityAttribute"
                },
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            },
            {
                "name": "manager",
                "transform": {
                    "attributes": {
                        "name": "Get Manager LDAP DN"
                    },
                    "type": "rule"
                },
                "attributes": {
                    "cloudRequired": "true"
                },
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            },
            {
                "name": "mail",
                "transform": {
                    "attributes": {
                        "name": "email"
                    },
                    "type": "identityAttribute"
                },
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            },
            {
                "name": "password",
                "transform": {
                    "attributes": {
                        "name": "Create Password"
                    },
                    "type": "rule"
                },
                "attributes": {
                    "cloudRequired": "true"
                },
                "isRequired": false,
                "type": "secret",
                "isMultiValued": false
            },
            {
                "name": "givenName",
                "transform": {
                    "attributes": {
                        "name": "firstname"
                    },
                    "type": "identityAttribute"
                },
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            },
            {
                "name": "sn",
                "transform": {
                    "attributes": {
                        "name": "lastname"
                    },
                    "type": "identityAttribute"
                },
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            },
            {
                "name": "pwdLastSet",
                "transform": {
                    "attributes": {
                        "value": "false"
                    },
                    "type": "static"
                },
                "attributes": {},
                "isRequired": false,
                "type": "boolean",
                "isMultiValued": false
            },
            {
                "name": "IIQDisabled",
                "transform": {
                    "attributes": {
                        "value": "false"
                    },
                    "type": "static"
                },
                "attributes": {},
                "isRequired": false,
                "type": "boolean",
                "isMultiValued": false
            },
            {
                "name": "primaryGroupDN",
                "transform": {
                    "attributes": {
                        "value": ""
                    },
                    "type": "static"
                },
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            },
            {
                "name": "description",
                "transform": {
                    "attributes": {
                        "value": ""
                    },
                    "type": "static"
                },
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            },
            {
                "name": "telephoneNumber",
                "transform": {
                    "attributes": {
                        "name": "phone"
                    },
                    "type": "identityAttribute"
                },
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            },
            {
                "name": "msNPAllowDialin",
                "transform": null,
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            },
            {
                "name": "homeMDB",
                "transform": null,
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            },
            {
                "name": "mailNickname",
                "transform": null,
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            },
            {
                "name": "shadowAccountDN",
                "transform": null,
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            },
            {
                "name": "msExchHideFromAddressLists",
                "transform": null,
                "attributes": {},
                "isRequired": false,
                "type": "boolean",
                "isMultiValued": false
            },
            {
                "name": "SipAddress",
                "transform": null,
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            },
            {
                "name": "SipDomain",
                "transform": null,
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            },
            {
                "name": "SipAddressType",
                "transform": null,
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            },
            {
                "name": "msNPCallingStationID",
                "transform": null,
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": true
            },
            {
                "name": "msRADIUSCallbackNumber",
                "transform": null,
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            },
            {
                "name": "msRADIUSFramedRoute",
                "transform": null,
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": true
            },
            {
                "name": "msRADIUSFramedIPAddress",
                "transform": null,
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            },
            {
                "name": "RegistrarPool",
                "transform": null,
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            },
            {
                "name": "dNSHostName",
                "transform": null,
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            },
            {
                "name": "msDS-SupportedEncryptionTypes",
                "transform": null,
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": true
            },
            {
                "name": "msDS-ManagedPasswordInterval",
                "transform": null,
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            },
            {
                "name": "msDS-GroupMSAMembership",
                "transform": null,
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": true
            },
            {
                "name": "msDS-AllowedToActOnBehalfOfOtherIdentity",
                "transform": null,
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": true
            },
            {
                "name": "servicePrincipalName",
                "transform": null,
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": true
            },
            {
                "name": "externalEmailAddress",
                "transform": null,
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            }
        ]
    },
    {
        "name": "Create Group",
        "description": null,
        "usageType": "CREATE_GROUP",
        "fields": [
            {
                "name": "distinguishedName",
                "transform": null,
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            },
            {
                "name": "sAMAccountName",
                "transform": null,
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            }
        ]
    },
    {
        "name": "Update Group",
        "description": null,
        "usageType": "UPDATE_GROUP",
        "fields": [
            {
                "name": "GroupType",
                "transform": null,
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            },
            {
                "name": "GroupScope",
                "transform": null,
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            },
            {
                "name": "description",
                "transform": null,
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            },
            {
                "name": "mailNickname",
                "transform": null,
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            }
        ]
    },
    {
        "name": "Account",
        "description": null,
        "usageType": "DISABLE",
        "fields": [
            {
                "name": "AC_NewParent",
                "transform": {
                    "attributes": {
                        "value": "OU=disabled,DC=SAILPOINT,DC=com"
                    },
                    "type": "static"
                },
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            }
        ]
    },
    {
        "name": "Account",
        "description": null,
        "usageType": "ENABLE",
        "fields": [
            {
                "name": "AC_NewParent",
                "transform": {
                    "attributes": {
                        "value": "CN=Users,DC=SAILPOINT,DC=com"
                    },
                    "type": "static"
                },
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            }
        ]
    }
]or paste code here
6

We are trying to change the OU path, when user LCS is changed from active to alumni in OpenLDAP. Since LDAP doesn’t support modify provisioning policies we are trying to use Before Provisioning Rule to move the OU.

7

Hi @schattopadhy appreciate your approach but LDAP is not support the modify operation.

8

You correct the befor provisioning is the way .
MAybe the best way is to deploy it on the tennant and do a testing there.
Normally you need JNDI and need to capture the connector user and password.

1 Like
9

Hey @Santhakumar,

You should be able to test this out in the rule development kit. The classes ProvisioningPlan, AccountRequest and AttributeRequest are all available to mock.

Here is a very simple example of how to mock a provisioning plan and its account and attribute requests. If you share the format of your plan I could make an exact mock.

ProvisioningPlan plan = mock(ProvisioningPlan.class);
AccountRequest accountRequest = mock(AccountRequest.class);

when(accountRequest.getOp()).thenReturn(ProvisioningPlan.ObjectOperation.Disable);

List<AccountRequest> accountRequests = new ArrayList<>();
accountRequests.add(accountRequest);

AttributeRequest attributeRequest = new ProvisioningPlan.AttributeRequest();
attributeRequest.setName("test");
attributeRequest.setOperation(ProvisioningPlan.Operation.Add);
attributeRequest.setValue("testValue");

when(accountRequest.getAttributeRequest("test")).thenReturn(attributeRequest);

when(plan.getAccountRequests()).thenReturn(accountRequests);
10

Hi @tyler_mairose Thanks for the input. I have shared the file here.

LDAP OU_before provisioning.txt (2.3 KB)

11

Here is an example set of mocks to test with. You’ll want to change my static values to ones that appropriately match your use-case.

        ProvisioningPlan plan = mock(ProvisioningPlan.class);

        Identity identity = mock(Identity.class);
        when(identity.getAttribute("cloudLifecycleState")).thenReturn("active");
        when(identity.getAttribute("activeou")).thenReturn("OU=Engineering,DC=TEST,DC=LOCAL");

        AccountRequest accountRequest = mock(AccountRequest.class);
        when(accountRequest.getOperation()).thenReturn(AccountRequest.Operation.Modify);
        when(accountRequest.getNativeIdentity()).thenReturn("nativeIdentity");

        List<AccountRequest> accountRequests = new ArrayList<>();
        accountRequests.add(accountRequest);

        when(plan.getIdentity()).thenReturn(identity);
        when(plan.getAccountRequests()).thenReturn(accountRequests);

Here is the full test class: ProvisioningTest.java (1.9 KB)

First we mock the provisioning plan.

Then we mock the identity and when you call getAttribute on cloudLifecycleState and activeou our mocked values are returned.

Next we mock an example accountRequest, when the getOperation() is called we return the Modify Operation. When the getNativeIdentity() is called we return the static value we want to test for native Identity.

We then need to initialize a list of AccountRequests and add our mocked Account Request to it.

When plan.getAccountRequests() is called in the rule this will return our example Account Requests list with the account request we mocked.

Same with plan.getIdentity(), when called in the rule it will return our identity we mocked so that it returns our static values when testing the rule.