We are working on our first Cloud Correlation Rule in IdentityNow for our Workday source. The rule has passed the SaaS Validator, deployed by SailPoint professional services, and the Workday source has been associated with this account correlation rule.
Use Case: If a new Workday account has an exact match on SSN Last Four, Last Name, and (DOB or First Name) correlate the new Workday account to an existing identity.
The Identity attribute lastFourSSN is a searchable attribute. In testing the Workday aggregation completed successfully. There were three Workday accounts we running our test on and all three accounts are no longer listed in the Workday source accounts tab, as if the accounts were dropped on the floor during aggregation. Below is the rule.
Is it valid to return an Identity to the map?
Is there any way to see logs associated with the Cloud Rules?
import sailpoint.object.*;
import sailpoint.rule.IdnRuleUtil;
import java.util.*;
import java.util.Map;
import java.util.HashMap;
import sailpoint.object.Identity;
String ssn = (String) account.getAttribute("SSN_LAST_FOUR");
String dob = (String) account.getAttribute("BIRTH_DATE");
String first = (String) account.getAttribute("FIRST_NAME");
String last = (String) account.getAttribute("LAST_NAME");
Map returnMap = new HashMap();
//Search IDN for Exact Last 4 SSN Match
List identities = idn.findIdentitiesBySearchableIdentityAttribute("lastFourSSN", "Equals", ssn);
if( identities != null && identities.size() > 0) {
for (Identity identity: identities){
//Check to see if the Last Name Matches
if(null != identity.getLastname()){
if(identity.getLastname().equals(last)){
//Now we have two of three criteria matched, if DOB or First Name match add the identity to the map
if(null != identity.getFirstname()){
if(identity.getFirstname().equals(first)){
returnMap.put("identity",identity);
}
}
if(null != identity.getAttribute("birthDate")){
if(identity.getAttribute("birthDate").equals(dob)){
returnMap.put("identity",identity);
}
}
}
}
}
}
return returnMap;
You cannot return an identity object directly in the map. You have to return the map of attributes you want to correlate on with its name and value. Please see Correlation Rule | SailPoint Developer Community for an example on its usage.
Based on the code above, I think you can directly map the correlation from the UI itself, no rule is necessary. You already have identity attributes for First Name, Last Name and lastFourSSN,and birthDate. You can just ensure they are searchable and use it for correlation mapping from Source → Import Data → Correlation tab.
In our use case we only want to correlate an identity if three attributes are an exact match either First, Last, and SSN or Last, SSN, and DOB. If we configured this in the UI our understanding is that each attribute would be evaluated independently one at a time. So for example if a Workday account just matched on SSN we wouldn’t want the account to be correlated, only if SSN, First, and Last or SSN, Last, and DOB were an exact match. Is there a method to group correlation attributes in the UI? If this is possible it would definitely be preferable to correlate in the UI over a correlation rule.
Thanks a lot for clarifying your requirement. Since you need a combination of those attributes to match I think you will need the rule.
I think the rule you’ve posted above should work. I know the documentation doesn’t suggest returning identity object or name but i think it works in IIQ and should work in IDN as well.
//Note if searching for a user using IDN Rule Util logic, you will get a sailpoint.rule.Identity;
//You can use the following
sailpoint.rule.Identity foundIdentity = ....;
Map retMap = new HashMap();
retMap.put("name", foundIdentity.getName());
You can try using sailpoint.rule.identity class if it helps. You’ll have to modify the get calls accordingly.
We have deployed a couple versions of the rule but now we hit a casting issue. Here is the error message as seen on Identity Cubes after running the aggregation:
And here is the code:
import sailpoint.object.*;
import sailpoint.rule.*;
import java.util.*;
import java.util.Map;
import java.util.HashMap;
import sailpoint.object.Identity;
String ssn = (String) account.getAttribute("SSN_LAST_FOUR");
String dob = (String) account.getAttribute("BIRTH_DATE");
String first = (String) account.getAttribute("FIRST_NAME");
String last = (String) account.getAttribute("LAST_NAME");
Map returnMap = new HashMap();
//Search IDN for Exact Last 4 SSN Match
List identities = idn.findIdentitiesBySearchableIdentityAttribute("ssnLastFour", "Equals", ssn, "email");
if( identities != null && identities.size() > 0) {
for (Identity identity: identities){
//Check to see if the Last Name Matches
if(null != identity.getLastname()){
if(identity.getLastname().equals(last)){
//Now we have two of three criteria matched, if DOB or First Name match add the identity to the map
if(null != identity.getFirstname()){
if(identity.getFirstname().equals(first)){
returnMap.put("name", identity.getName());
}
}
if(null != identity.getAttribute("birthDate")){
if(identity.getAttribute("birthDate").equals(dob)){
returnMap.put("identity",identity);
}
}
}
}
}
}
return returnMap;```
From a similar post we saw reference to defining the List like "List<sailpoint.rule.Identity> identities =..." however this update fails the SaaS validator. This snippet came from [Using IDNRuleUtil findIdentitiesBySearchableIdentityAttribute function - IdentityNow (IDN) / Discussion and Questions - SailPoint Developer Community Forum](https://developer.sailpoint.com/discuss/t/using-idnruleutil-findidentitiesbysearchableidentityattribute-function/3917#_gl=1*lwvs81*_gcl_au*MTc1MzkzMTY2Mi4xNjg4OTk2OTg4)