Manually set LCS not updating while on Aggregation with Transform reference

GOKUL_ANANTH_M · February 16, 2024, 6:12pm

Hi,

I have created a transform that calculates the Lifecycle State of an identity.

{
    "name": "LCS Transform",
    "type": "static",
    "attributes": {
        "user_Status": {
            "attributes": {
                "sourceName": "Cricket NewZealand",
                "attributeName": "status"
            },
            "type": "accountAttribute"
        },
        "lastHireDate_Compare": {
            "attributes": {
                "firstDate": {
                    "attributes": {
                        "inputFormat": "yyyy-MM-dd'T'HH:mm:ss'Z'",
                        "outputFormat": "ISO8601",
                        "input": {
                            "attributes": {
                                "inputFormat": "MM/dd/yyyy",
                                "outputFormat": "yyyy-MM-dd'T'HH:mm:ss'Z'",
                                "input": {
                                    "attributes": {
                                        "sourceName": "Cricket NewZealand",
                                        "attributeName": "lastHireDate"
                                    },
                                    "type": "accountAttribute"
                                }
                            },
                            "type": "dateFormat"
                        }
                    },
                    "type": "dateFormat"
                },
                "secondDate": {
                    "attributes": {
                        "inputFormat": "yyyy-MM-dd'T'HH:mm'Z'",
                        "outputFormat": "ISO8601",
                        "input": {
                            "attributes": {
                                "expression": "now/d"
                            },
                            "type": "dateMath"
                        }
                    },
                    "type": "dateFormat"
                },
                "operator": "gt",
                "positiveCondition": "greater",
                "negativeCondition": "lesser"
            },
            "type": "dateCompare"
        },
        "terminationDate_compare": {
            "attributes": {
                "firstDate": {
                    "attributes": {
                        "input": {
                            "attributes": {
                                "values": [
                                    {
                                        "attributes": {
                                            "sourceName": "Cricket NewZealand",
                                            "attributeName": "terminationDate"
                                        },
                                        "type": "accountAttribute"
                                    },
                                    "12/30/5000"
                                ]
                            },
                            "type": "firstValid"
                        },
                        "inputFormat": "MM/dd/yyyy",
                        "outputFormat": "ISO8601"
                    },
                    "type": "dateFormat"
                },
                "secondDate": {
                    "attributes": {
                        "inputFormat": "yyyy-MM-dd'T'HH:mm'Z'",
                        "outputFormat": "ISO8601",
                        "input": {
                            "attributes": {
                                "expression": "now/d"
                            },
                            "type": "dateMath"
                        }
                    },
                    "type": "dateFormat"
                },
                "operator": "gte",
                "positiveCondition": "greater",
                "negativeCondition": "lesser"
            },
            "type": "dateCompare"
        },
        "value": "#if($user_Status=='active'&&$lastHireDate_Compare=='greater')prehire#elseif($lastHireDate_Compare=='lesser'&&$terminationDate_compare=='greater')active#elseif($terminationDate_compare=='lesser')terminated#{else}inactive#end"
    }
}

I have a flat file containing identity data. After aggregating the data, the LCS calculation is correctly displayed in Identity details on IDN. Now, I have made some identities with manually set Lifecycle States. Upon re-aggregation of the same flat file, the transform should recalculate the LCS and update it automatically. However, this reversion process is not occurring.

For instance, I have an identity with “emp_id - 100, status - active, lastHireDate - 02/02/2024, terminationDate - NULL”. Initially, the transform displays the LCS as “active (automatic)”. If I manually change the LCS to “inactive (Manual)”, upon subsequent aggregations with no data changes, the LCS remains “inactive (Manual)” instead of reverting to “active (automatic)” as expected.

I have attempted various approaches:

Optimized Aggregation
Unoptimized Aggregation
Changing the values of direct identity attributes and then aggregating them.

Now, my question is: are there any other methods to achieve this?

Thanks in advance,
Gokul

KevinHarrington · February 17, 2024, 2:27am

Try adding “requiresPeriodicRefresh”:“true” inside your attributes tag.

Some extra info:
The documentation and expected behavior here seems to be changing or inconsistent, or there’s just something I’m missing. As I understood it from years ago: if a lifecycle state is set manually, then the automated/calculated lifecycle state will not be honored until the calculated lifecycle state matches the manual lifecycle state. I don’t think the documentation reflects this behavior anymore, but in some circumstances the product still works this way,

The primary reason this behavior would be valuable is in the case of immediate terminations. If a person is set to be “inactive” manually, we wouldn’t want the identity set to active after aggregating from HR just because HR hasn’t had time to catch up. So it waits for HR to catch up to the manual state, then allows the HR record to drive lifecycle state again.

GOKUL_ANANTH_M · February 17, 2024, 9:17am

Hi @KevinHarrington ,

It’s an emergency case scenario where someone unknowingly changed the LCS of an identity in IDN. Hence, I need to revert the LCS state back to the identity.

Also, after adding the “requiresPeriodicRefresh” in the transform too, there is no change. The same scenario occurs.

The updated thing in the transform is that,

"value": "#if($user_Status=='active'&&$lastHireDate_Compare=='greater')prehire#elseif($lastHireDate_Compare=='lesser'&&$terminationDate_compare=='greater')active#elseif($terminationDate_compare=='lesser')terminated#{else}inactive#end",
"requiresPeriodicRefresh": "true"

RAKGDS · February 18, 2024, 10:14am

Hi Gokul,
Try this once you change your lifecycle state have a workflow configured on cloudlifecycle change status and then in the workflow please refresh the identity with cc api.

Thank

GOKUL_ANANTH_M · February 19, 2024, 6:53am

Hi Rakesh,

As the /cc/api/system/refreshIdentities is deprecated, can we use https://developer.sailpoint.com/idn/api/beta/sync-identity-profile/, for this requirement?

RAKGDS · February 19, 2024, 6:57am

Hi Gokul,
Sure that should also work.

vijay_sharma · April 10, 2024, 4:14am

Hi Gokul,

By Any chance, you were able to fix this issue ? I am facing similar issues.

@RAKGDS

vijay_sharma · April 10, 2024, 4:17am

Hi Kevin,

I am facing similar issues where after adding “requiresPeriodicRefresh” in LCS transform, it is not updating the identity LCS which was manually set. Thanks

GOKUL_ANANTH_M · April 10, 2024, 5:02am

Hi Vijay,

If a lifecycle state is set manually, then the automated/calculated lifecycle state will not be honoured until the calculated lifecycle state matches the manual lifecycle state.

The primary reason this behaviour would be valuable is in the case of immediate terminations. If a person is set to be “inactive” manually, we wouldn’t want the identity set to active after aggregating from HR just because HR hasn’t had time to catch up. So it waits for HR to catch up to the manual state, then allows the HR record to drive lifecycle state again.

Imagine the scenario that, I have an identity with “emp_id - 100” whose status should be “active,” but in a situation where the admin changed it manually to “inactive”. If we need to revert this change back to “active (automatic)”,

We need to match the identity’s calculated LCS with the manually set LCS. Hence, we need to change the identity’s data in the HR file to meet the “inactive” state conditions.

Let’s say the data of the employee in HR file looks like this,

emp_id: 100
status: active
lastHireDate: 02/02/2024
terminationDate: 19/02/2024

After this, we can modify the data in the HR file to meet the “active” state conditions, i.e., nothing but the old data of the identity. Upon aggregation, the change will then be reverted back.

This process ensures the expected output is “active (automatic).”

This was the solution given by @KevinHarrington above.

Topic		Replies	Views
IdentityAttribute Transforms not updating when LCS manually set ISC Discussion and Questions transforms , identity-security-cloud	3	238	January 16, 2024
Manually Setting LCS with Transform References ISC Discussion and Questions transforms , identity-security-cloud	2	369	July 19, 2023
LCS set manually is not getting new value as per Transform ISC Discussion and Questions transforms , identity-security-cloud , lifecycle-management	3	65	April 10, 2024
Unable to use Identity attribute in LCS transform ISC Discussion and Questions	7	1006	July 19, 2023
Lifecyclestate transform ISC Discussion and Questions transforms , identity-security-cloud	3	321	August 14, 2023

Manually set LCS not updating while on Aggregation with Transform reference

Related Topics