Context: Currently, we have NERM connected with ISC, so our users authenticate in NERM through ISC as identity provider (IdP).
Use case: We have a form to register non-employees from different companies: Company A, Company B and Company C. When a user from Company A, B or C authenticates in NERM, he can execute a workflow where he can select his company in an attribute of type “ProfileSelect”. This selection enables another attribute that shows the available options for your company, as follows:
Company A: Option 1 and Option 2
Company B: Option 3 and Option 4
Company C: Option 5 and Option 6.
This works correctly. However, we want to prevent a user from selecting a company that does not apply to them. We would like to identify which company the user is from and have the form stop displaying the company selection attribute (or have it pre-filled with no way to change it) to directly enable the options corresponding to their company.
Doubt: What would be the best way to solve this? We have tried to add an attribute called “company” for users authenticating in NERM and use a “Set Attribute Value” action, but it seems that it is not possible because ISC is our IdP.
I hope I have explained myself well. I thank you in advance for your support.
Best regards!
Hi Gilberto,
This can be solved using a Set Attributes action to a requesters profile value for the company attribute. Then having an attribute with a filter based on that company value(from the requesters profile) on your “the available options for your company” selection you have setup.
The IMPORTANT action is ensuring you have/are populating that company attribute on the requesters profile so you can reference it. If I understand your setup properly, if they are already complete a form (and assumably you setup an identity profile). This should be easy accomplish.
Hi!
Thanks for the answer.
I have a doubt about your solution: how can I popularize the “company” attribute if I don’t have that attribute?, that is, the requesting users that authenticates in NERM comes from ISC, so, they only have the attributes that come by default in “System > Users” which are “name, email, login, roles, status”?
In other words, I don’t have a profile type for those requesting users.
With that clarification with the use of what I assume is JIT provisioning, you are correct you would not have the correct company data.
You might could get crafty to the sorts of:
- Can you setup condition(s) based on the email domain of the user to set said company attribute?
- Depending on how your groups are setup (if they contain company info), you could use that to set the company attribute in workflow using the Worklow sessions APIs. ← I can explain this in more detail but highly dependent on the group naming conventions.
Thanks for the clarification.
For example, if I have a profile type for the companies, and I assign the corresponding company to the users, can I do anything with that relation?
could you help me in any way?
This company, of which the user would now be a collaborator, is the same company that should be selected in the “ProfileSearch”.
So, these users are System Users coming in from ISC / your IDP? As such, they have limited data: only their name, email, login, title, and groups, which map to User Roles. System Users also do not have Profiles that we can link data to, like Collaboration users.
How can you currently tell the difference between if a user is in Company A, B , or C? Is there a particular email domain?
Using Colton’s first example solution: One possible solution here would be to use a Set Attribute Values action to pull the email of the Requester, using it in a condition to check the value.
Then, in another Set Attribute Values action inside the condition, you would statically set the Company Profile Select to the right Company.
You could also maybe do this by setting the Titles of the Users to the company name and checking against that.
Other options here could maybe look at a value in ISC? In a REST API action, You could search for the Identity using the login value or email: list-identities | SailPoint Developer Community . Then, with the returned data, you could datamap whatever value the Identity has that says which company they are apart of. Then use that in the condition.
What options you have will depend on what data you have available
2 Likes
Hi!
Thanks for the answer.
Sincerely I see hard to manage the workflow if we do it by domain since there are many companies, because I understand it would have to be “many conditions”, right?
On the other hand, I think we can use the attribute “titles”, now for my users that attribute is n/a, it seems that ISC is not sending any value, do you know how I can adjust the value that ISC should send?
Thanks for all the support.
