Hi! I am working in a rule for an authoritative source that have to generate the sailpoint userid on identity. I have some alternatives to create username string. If userId is already taken, I should try next generated userid. I am having trouble finding how to query IDN if identity with generated userId already exists.
Found idn object, available on Identity Attribute rule, but I am not sure how to perform this query. Appreciate any answer in advance.
I found 2 methods that perform a search on identity attributes, rest appear to be applied to source attributes. My doubt now is how to promote an identity attribute as searchable, because search attributes API needs a source id.
public int countIdentitiesBySearchableIdentityAttribute(java.lang.String attributeName,
java.lang.String operation,
java.lang.String value)
public java.util.List<Identity> findIdentitiesBySearchableIdentityAttribute(java.lang.String attributeName,
java.lang.String operation,
java.lang.String value,
java.lang.String sortAttribute)
I found another post where it says that uid and email are searchable attributes for identities. So it left to verify and send to ES. Anyway, if someone want to share some experience it will be appreciated.
First things first, it is not recommended to generate any unique identifier in the Identity Profile section (i.e. via an identity attribute). This is because the processing on the identity profile refresh is done in parallel and so you could encounter clashes. As far as I know, SailPoint still recommends performing the calculations of these unique attributes on any sources, e.g. provisioning to Active Directory and then writing that back into SailPoint via aggregation and attribute mapping.
Regardless, I have done this in the past when it was a completely randomly generated identifier. Querying into IdN to see if it is unique we did in the following way. Please note that this is just an example, use with caution!
// Check Unique within IdentityNow
boolean isUnique (String id) {
Boolean isUnique = false;
QueryOptions qoIdentity = new QueryOptions();
qoIdentity.addFilter( Filter.ignoreCase( Filter.eq( attrName, id ) ) );
qoIdentity.setDistinct(true);
int identities = context.countObjects(Identity.class, qoIdentity);
QueryOptions qoLink = new QueryOptions();
qoLink.addFilter(Filter.and(Filter.eq("application.cloudDisplayName",checkAppName),Filter.eq("displayName",id)));
qoLink.setDistinct(true);
int links = context.countObjects(Link.class,qoLink);
if (identities == 0 && links == 0) {
isUnique = true;
}
return isUnique;
}
Hi Edwin, thank you for your response. Is very similar to our case, where security login generation policy involves a random number.
Let me ask some question, after user creation, what happen when for example same user is modified on HR? UserID is recalculated, or remains the one used for creation?
I didn’t post the full rule required for this, but in any case I would always put a check in the beginning of the logic that ensures that the userID is not recalculated every time. The logic / rule will be kicked of each time an identity is refreshed, but by checking if there is already a value in the userID field, there is no need to recalculate (the logic can be skipped).
Thanks @sauvee ! I found a way to check if code is at creation o identity, or at some modification from authoritative source.
I found that identity.getAttribute(“uid”) -or another attribute- returns null when called at creation, and returns attribute value for following aggregations. For example:
Hi @ksbagade ! Thanks for responding. Unfortunately I can not use the username generator as I need to copy returned value to uid attribute of identity. Have to check that this is being doing at first aggregation, preventing from being called every time aggregation occurs.