IdentityAttribute Rule Not Getting Account

Identity Security Cloud (ISC) ISC Discussion and Questions
,
1

Hi all, we’re trying to write an identity attribute cloud rule that sets the uid for non-employee users (source type: Non-Employee). However, after the rule was deployed, we found out that it doesn’t find the account for the user or basically

Account acct = idn.getFirstAccount("NELM [source]", identityName);

returns null. idenityName variable above is an argument of the function that tries to generate a unique uid (and has the above code) and is called with identity.getName() passed in as the value of the argument.

NELM accounts are created through a form, and we already checked to see if the reason is that the account hasn’t been fully created yet but even when we use the rule on existing accounts, it returns null for the line above. Any thoughts?

2

Hi @ArefS ! Please note that Sailpoint discourages to generate unique attribute values like uid or email, but as in some cases are necessary, my experience with these rules is that when the identity is being created, most of it attributes are null (for example, if you call the getAttribute method).

Please check in Identity Profile, in the Preview screen, and enter some previously created identity. Can you see some value there?

Also take into consideration that every refresh of the Identity Profile will end in the rule revaluation, so if you check for existance and generate the value based on this, perhaps it will generate a new value in each refresh.

3

Hi @jsosa, the identities have the value (in this case uid and identificationNumber) there. To help us troubleshoot, I assigned some value to the variable I return at the end of the function to see where it gets stuck/does not work.

 public String generateEmployeeId(String oldValue, String identityName) throws GeneralException{
        String newValue = "ErrorBegin";
        if (oldValue == null || oldValue.isEmpty()){
            newValue = "ErrorCheckingIdentityName";
            if (identityName != null){
                Account acct = idn.getFirstAccount("NELM [source]", identityName);
                newValue = "ErrorCheckingAccount";
                if (acct != null){
                    Map acctAttrs = acct.getAttributes();

                    String workerType = (String) acctAttrs.get("workerType");
                    newValue = "ErrorInForLoop";
                    for (int i = 100000; i < 999999; i++){
                        String tempValue = "";
                         if (workerType == "TPV")
                            tempValue = "TP" + Integer.toString(i);
                        else 
                            tempValue = "CW" + Integer.toString(i);
                        if (idn.countIdentitiesBySearchableIdentityAttribute("uid", "Equals", tempValue) == 0){
                            newValue = tempValue;
                            break;
                        }
                    }                 
                }
            }
        }
        else
            return oldValue;

        return newValue;
    }

    return generateEmployeeId(oldValue, identity.getName());

Through oldValue condition we check to see if the value is already assigned and we don’t recalculate it
This is the entire code. The value returned is ErrorCheckingAccount for new users’ uid. For existing users, I assigned this rule identificationNumber and I got ErrorCheckingAccount as well for them.

4

Other tips I can offer from my experience, is to enclose all in a try/catch(Exception e) { return e.getMessage();}

imports...................;

try {
        // entire code
}
catch(Exception e) {
       return e.getMessage();
}

So, as you can not log in this rule, you can figure which line throwed exception. Other thing I do in this kind of rule, is insert a return line at very time I can. For example, in your code,

public String generateEmployeeId(String oldValue, String identityName) {
        String newValue = "ErrorBegin";
        if (oldValue == null)
            return "oldvalueisnull";
        if(oldValue.isEmpty())
            return "allvalueisempty";
            newValue = "ErrorCheckingIdentityName";

            if(identityName == null)
               return "identitynameisnull";
            
           if(idn == null)
                return "idnisnull";
           Account acct = idn.getFirstAccount("NELM [source]", identityName);
           newValue = "ErrorCheckingAccount";
           if(acct == null)
                return "acctisnull";

and so on. This will force the uid to have some value (at least, the Exception message, and even better, some text that perhaps canl show you at which line you are having error).

5

I ended up solving the issue. The problem was that the original name of the source was stuck somewhere and the rule couldn’t find the account associated with the identity. (Even though the name of the source showed as NELM when getting it through cc/api). We deleted the source and created a new one with the correct name and the rule worked.

6

Good news! Sometimes happens that when renaming a source, internal name remains the same.

7

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.