Lifecycle Transform issue

Identity Security Cloud (ISC) ISC Discussion and Questions
1

Hi,

We have a requirement to set Lifecycle State value as active or inactive based on attribute from HRSource and AD. If Status attribute in HR in A and in AD if it is not present in Disabled OU then we are setting it as active else inactive.

We have few users who dont have AD account. I just wanted to pass not null condition on DN value to incorporate this. I have added one extra condition for those users marked in bold nd italic in below transform. However it is not working.

Any suggestions.

Below is the transform:

{
“attributes”: {
“Status”: {
“attributes”: {
“attributeName”: “Status”,
“sourceName”: “xxxx”
},
“type”: “accountAttribute”
},
“DN”: {
“attributes”: {
“attributeName”: “distinguishedName”,
“sourceName”: “Active Directory”
},
“type”: “accountAttribute”
},
“value”: “#if($DN && !($DN.contains("OU=xxx,DC=ad-dev,DC=xxx,DC=net")) && $Status==‘A’)active#elseif($DN && ($DN.contains("OU=xxx,DC=ad-dev,DC=xxx,DC=net")) && $Status==‘D’)inactive#end”
},
“id”: “Transform-LifeCycleState Mapping”,
“type”: “static”
}

NOTE: Is there any way we can check whether the application account (Link) is present in user profile.

2

Hi Srimathiram,

I would suggest wrapping DN in a firstValid transform. I’ve edited the transform below (note the change to the value from " to ’ in the contains). Please try this new transform:

{
    "attributes": {
        "Status": {
            "attributes": {
                "attributeName": "Status",
                "sourceName": "xxxx"
            },
            "type": "accountAttribute"
        },
        "DN": {
            "type": "firstValid",
            "attributes": {
                "values": [
                    {
                        "attributes": {
                            "attributeName": "distinguishedName",
                            "sourceName": "Active Directory"
                        },
                        "type": "accountAttribute"
                    },
                    "NA"
                ],
                "ignoreErrors": "true"
            }
        },
        "value": "#if($DN != 'NA' && !($DN.contains('OU=xxx,DC=ad-dev,DC=xxx,DC=net')) && $Status=='A')active#elseif($DN != 'NA' && ($DN.contains('OU=xxx,DC=ad-dev,DC=xxx,DC=net')) && $Status=='D')inactive#end"
    },
    "id": "Transform-LifeCycleState Mapping",
    "type": "static"
}

Thanks,

Lisa Ivy

3

Thanks Lisa for the response!
Is there a way to check whether the AD account is disabled using the transform.

4

There are 2 attributes you can use to derive if account is enabled or disabled.
One is IIQDisabled-> If NULL it is active and if true , account is disabled.
This variable is common between all connectors and can be used for any type of source.

For specifically AD, There is another attribute which is accountFlags. If it contains “User Account is Disabled” then your AD account is disabled.

I wrote 2 transforms in past to get active account only from Identity if there are multiple AD account from same source under identity. You can take reference and build your transform

{
    "attributes": {
        "accountPropertyFilter": "( IIQDisabled.isNull())",
        "applicationId": "2c91808362878e2a01628fdf0c7d5aa2",
        "applicationName": "IdentityNow AD [source-111329]",
        "attributeName": "sAMAccountName",
        "sourceName": "AD"
    },
    "id": "Filter using IIQDisabled",
    "type": "accountAttribute"
}

{
				"attributes": {
					"accountPropertyFilter": "!(accountFlags.contains(\"User Account is Disabled\"))",
					"applicationId": "2c91808362878e2a01628fdf0c7d5aa2",
					"applicationName": "IdentityNow AD [source-111329]",
					"attributeName": "distinguishedName",
					"sourceName": "AD"
				},
				"id": "Filter using account Flag",
				"type": "accountAttribute"
			}