Identity Rule to generate userid

Hi! I am working in a rule for an authoritative source that have to generate the sailpoint userid on identity. I have some alternatives to create username string. If userId is already taken, I should try next generated userid. I am having trouble finding how to query IDN if identity with generated userId already exists.

Found idn object, available on Identity Attribute rule, but I am not sure how to perform this query. Appreciate any answer in advance.

Thanks!

I found 2 methods that perform a search on identity attributes, rest appear to be applied to source attributes. My doubt now is how to promote an identity attribute as searchable, because search attributes API needs a source id.

public int countIdentitiesBySearchableIdentityAttribute(java.lang.String attributeName,
                                                        java.lang.String operation,
                                                        java.lang.String value)

public java.util.List<Identity> findIdentitiesBySearchableIdentityAttribute(java.lang.String attributeName,
                                                                            java.lang.String operation,
                                                                            java.lang.String value,
                                                                            java.lang.String sortAttribute)

I found another post where it says that uid and email are searchable attributes for identities. So it left to verify and send to ES. Anyway, if someone want to share some experience it will be appreciated.

Mentioned post is:

First things first, it is not recommended to generate any unique identifier in the Identity Profile section (i.e. via an identity attribute). This is because the processing on the identity profile refresh is done in parallel and so you could encounter clashes. As far as I know, SailPoint still recommends performing the calculations of these unique attributes on any sources, e.g. provisioning to Active Directory and then writing that back into SailPoint via aggregation and attribute mapping.

Regardless, I have done this in the past when it was a completely randomly generated identifier. Querying into IdN to see if it is unique we did in the following way.
Please note that this is just an example, use with caution!

  // Check Unique within IdentityNow
    boolean isUnique (String id) {
        Boolean isUnique = false;
        QueryOptions qoIdentity = new QueryOptions();
        qoIdentity.addFilter( Filter.ignoreCase( Filter.eq( attrName, id ) ) );
        qoIdentity.setDistinct(true);

        int identities = context.countObjects(Identity.class, qoIdentity);

        QueryOptions qoLink = new QueryOptions();
  	    qoLink.addFilter(Filter.and(Filter.eq("application.cloudDisplayName",checkAppName),Filter.eq("displayName",id)));
				qoLink.setDistinct(true);
				
      	int links = context.countObjects(Link.class,qoLink);
      
        if (identities == 0 &amp;&amp; links == 0) {
            isUnique = true;
        }

        return isUnique;
    }
4 Likes

Hi Edwin, thank you for your response. Is very similar to our case, where security login generation policy involves a random number.

Let me ask some question, after user creation, what happen when for example same user is modified on HR? UserID is recalculated, or remains the one used for creation?

Hi Julian,

I didn’t post the full rule required for this, but in any case I would always put a check in the beginning of the logic that ensures that the userID is not recalculated every time. The logic / rule will be kicked of each time an identity is refreshed, but by checking if there is already a value in the userID field, there is no need to recalculate (the logic can be skipped).

Hope this helps.

1 Like

Thanks @sauvee ! I found a way to check if code is at creation o identity, or at some modification from authoritative source.
I found that identity.getAttribute(“uid”) -or another attribute- returns null when called at creation, and returns attribute value for following aggregations. For example:

if(identity != null && identity.getAttribute("uid) != null)
return identity.getAttribute(uid);

// else
String uid = someRandom();
// check uniqueness
return uid;

Hi @jsosa,

A little late to the thread, but does the Username Generator and the UUID Generator transforms help meet the uniqueness requirement?

Hi @ksbagade ! Thanks for responding. Unfortunately I can not use the username generator as I need to copy returned value to uid attribute of identity. Have to check that this is being doing at first aggregation, preventing from being called every time aggregation occurs.

1 Like

Got it. Thank you for the response and hope you got it working :slightly_smiling_face:

1 Like

Are you trying to get an integer less than 6 as the username or a string with 6 digits?

And did multiplying a double with String work for you?

Hi @iamnithesh I cut original code ro prevent client’s specific logic, and ended copying wrong code. I recopy example:

      if(identity != null && identity.getAttribute("uid") != null)
	       return (String)identity.getAttribute("uid");

       int maxRandomNumberLenght = 4; // login lenght
       int maxRandomNumber = 9999; // to generate between 0 and 9999

       // add necessary zeros to the left
       if(normalizedRandom.length() < maxRandomNumberLenght) {
		int leftZeros = maxRandomNumberLenght - normalizedRandom.length();
		for(int i = 0 ; i < leftZeros ; i++)
			normalizedRandom = "0" + normalizedRandom;
	}

       String finalUsername = Integer.toString((int)(Math.random() * maxRandomNumber));

       return finalUsername;

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.