Hi community,
what is meant by displayName parameter in the “accountExistsByDisplayName” method signature of the class IdnRuleUtil (IdnRuleUtil).
Which account attribute does the displayName refer to?
Could you provide me with a practical example?
Thanks in advance for your support,
Paolo
Hi @paolosalatinos My understanding is that it references the attribute marked as the Account Name in the Account Schema:
Ok,
we have defined two sources for two different domains of the same forest, we are trying to generate a unique sAMAccountName between the two domains using the following rule in the Create Account provisioning policy settings of the adSource1 and adSource2:
import sailpoint.tools.GeneralException;
import sailpoint.object.*;
import java.util.ArrayList;
import sailpoint.api.*;
import java.util.List;
import org.apache.commons.lang.StringUtils;
public String generateUsername(String firstName, String lastName) throws GeneralException {
firstName = StringUtils.trimToNull(firstName);
lastName = StringUtils.trimToNull(lastName);
if(firstName != null) {
firstName = firstName.replaceAll("[^a-zA-Z0-9]", "");
}
if(lastName != null) {
lastName = lastName.replaceAll("[^a-zA-Z0-9]", "");
}
if((firstName == null) || (lastName == null)) {
log.debug( "AD Create User Name | Exit from generateUsername method. No last name and first name for user" );
return null;
}
String username = null;
String adSource1= "Active Directory Source1";
String adSource2 = "Active Directory Source2";
String fullName = firstName + "." + lastName;
for(int firstNameLength=1;firstNameLength<=firstName.length();firstNameLength++)
{
username = firstName.substring(0,firstNameLength)+"."+lastName;
username=username.toLowerCase();
if((!idn.accountExistsByDisplayName(adSource1, username)) && (!idn.accountExistsByDisplayName(adSource2, username)))
{
log.debug( "AD Create User Name | Unique username generated: " + username);
log.debug( "AD Create User Name | Exit from the GenerateUsername Method" );
return username;
}
}
for (int uniqueCounter=1;uniqueCounter<100;uniqueCounter++)
{
username = firstName.substring(0,1)+"."+lastName+uniqueCounter;
if(!idn.accountExistsByDisplayName(adSource1, username) && !idn.accountExistsByDisplayName(adSource2, username))
{
log.debug( "AD Create User Name | Unique username generated: " + username);
log.debug( "AD Create User Name | Exit from the GenerateUsername Method" );
return username;
}
}
return null;
}
return generateUsername( identity.getFirstname(), identity.getLastname() );
however it seems that the condition “if((!idn.accountExistsByDisplayName(adSource1, username)) && (!idn.accountExistsByDisplayName(adSource2, username)))” doesn’t work properly because by executing the rule we have that with the same firstname and lastname (e.g. firstname=Mario and lastname=Rossi), one on adSource1 and the other on adSource2 the rule creates the same sAMAccountName on the two different domain of the same forest, instead we expected m.rossi at the first user creation and ma.rossi at the second user creation, why this unexpected behavior?
Thanks in advance for your support,
Paolo
Hi @psalat8887100 When testing, has the first create account completed successfully before the second create account?
This is a cross domain issue, the method you are using to check account exists or not works only on a particular source.
You should go with Identity attribute based approach for calculating uniqueness.
– Krish
Hi,
You may use different method to compare SamAccountName uniqueness in multiple sources like below:
import sailpoint.object.*;
import java.util.*;
import sailpoint.rule.*;
import org.apache.commons.lang.StringUtils;
List SOURCE_IDS = new ArrayList(Arrays.asList(new String[]{"4028112837fe14c70177fe1955e9032c","4028812877fa18c72177fs195baa0341"}));
String PROMOTED_ATTR_NAME = "promotedEmailAddress";
String SEARCH_OP = "StartsWith"; //Can also use "Equals"
List SEARCH_VALUES = new ArrayList(Arrays.asList(new String[]{"[email protected]"}));
//return matching accounts
return idn.attrSearchCountAccounts(SOURCE_IDS, PROMOTED_ATTR_NAME, SEARCH_OP, SEARCH_VALUES));
//In the event that the earlier call returns non-zero values, it is certain
//that an email value is already in use. If it is required to
//know which identity owns the account with this value, you can call this method:
//idn.attrSearchGetIdentityName(SOURCE_IDS, PROMOTED_ATTR_NAME, SEARCH_OP, SEARCH_VALUES));
Check Out below link for more understanding and how to create promoted attributes.
Using ISCRuleUtil as a Wrapper for Common Rule Operations | SailPoint Developer Community
In most environments sAMAccountName is such a fundamental attribute then generating it on the Identity Profile (agreeing with @MVKR7T here) would be best practice, IMHO.
Hello developer community!
This approach to check uniqueness using promoted attributes works, however this option works when aggregating one account at a time, but in case of bulk account aggregation - and we suppose this is due to concurrency issues - we encounter the following error:
"Error(s) reported back from the IQService - The object already exists. The object already exists. 00000524: UpdErr: DSID-031A11FA, problem 6005 (ENTRY_EXISTS), data 0 00000524: UpdErr: DSID-031A11FA, problem 6005 (ENTRY_EXISTS), data 0 . HRESULT:[0x80071392] For identity: CN\u003d […]
we assume that this is due to the fact that at the time of bulk upload the accounts are created at the same time and for this reason the promoted attribute is not yet valued to allow the beforeprovisioning rule to perform the uniqueness check.
We also tried to use the isUniqueLDAPValue method in IdnRuleUtil class but it was still not effective, the problem we encounter even using this additional method is identical to the one reported.
How can we overcome this concurrency error of Active Directory connector to make the BeforeProvisioning rule also work in case of bulk account aggregation?
Thanks in advance for your support.
Regards,
Paolo
Hi All, I have a related question to those raised above which relates to checking Uniqueness of the sAMAccountName.
Currently, I have a cloud rule that calculates a sAMAccountName value and tests for it’s uniqueness using the ‘countIdentitiesBySearchableIdentityAttribute’ method.
This fails to locate existing accounts that are uncorrelated to an Identity.
I think the test for uniqueness should be performed using the ‘accountExistsByDisplayName’ method
However, this will only work, if the ‘displayName’ referred to is the sAMAccountName attribute in AD.
Can anyone confirm that the reference to ‘displayName’ in this method is actually referring to the ‘Account Name’ in the Source Account Schema - which is set to sAMAccountName in the AD Source?
Regards, Adrian