I’m working on a use case in SailPoint ISC, where I need to pass a value generated by a transform itself into Attribute Generator Rule as input. Here’s the context:
There is a provisioning policy that invokes a rule.
The rule depends on a transform for generating the input for the lastName variable within the rule.
The transform in CREATE policy structure is as follows:
This can be handled directly within the rule. However, for every additional requirement to replace words, we would need to modify the rule and deploy it.
With that in mind, and also this create policy will be triggered only once. So, I thought of providing input via a policy over creating an identity attribute.
If there’s no way to handle this through the policy, then creating an identity attribute seems like the better approach, in my opinion.
I’ve not seen any documentation or reference article related to “inputToRule”
We never tried this complex logic where we use transform o/p to rule i/p.
Please post your result once your provisioning policy is success bit curious to know the outcome.
Below are some other ways to achieve it which might be helpful. I am not sure about what the best practices but i believe you can choose any of the below three approach and it should be fine.
In this approach you can have a variable defined under the connector attributes something like below
Then in the rule you can then retrieve this attribute from application content and loop over the each expression to use the regular expression pattern to be tested and if they return true then you can use the value above dictionary to replace that. I am not sure about $1 used above but believe you can overcome that.
This will avoid your need to be dependent on the deploying the rule again if new regEx expressions are needed to be added into the logic as you can simply change these values in the source json. But in case there is another requirement like converting the special characters like ü to corresponding English alphabet like u, then this may not be possible and you will need to update the rule. So in my opinion if only replace is the action you foresee then this approach can be utilized. ofcourse here you will need to deploy your own attribute generator rule .
Second approach which you can use but i think it will be applicable if this is for Active directory type of source. So you can still use the same transform but instead of using this transform in mail attribute directly, you can create one temporary attribute on the create policy. Make sure this temporary attribute is placed above the mail attribute. In this attribute then you can use this transform and in the mail attribute then you can pass this attribute (as $tempAttr ) as the input. This will give you the overview also of the value generated for this attribute in the events and you can see them when ever any new account is created.
But this will mean when ISC tries to create the attribute in the target application it will try to provision this temp Attribute as well for the user and it may fail as this attribute is not available in the target application. For that you can add the attribute in excludeAttributesFromProvisioning block in source json under connector attributes and that should avoid including this attribute in the provisioning plan but you can still use it for generating the email. But i have seen exclude block only in AD type of sources so not sure if this be applicable if this is a non-AD source.
But for AD source this also looks to be a decent approach unless i am missing anything here.
You can also prefer using another identity attribute which is most traditional way of achieving this requirement but to have identity attribute for this requirement may be the last option i would prefer unless we can use this value in some other sources as well then this would be the best way i believe.
I hope this helps, if you have any queries please let me know.
I have read your second approach, you have mentioned about the attribute excludeAttributesFromProvisioning, do we have any documentation for that in SailPoint?
No, Unfortunately, I do not find this attribute information in the connector’s official documentation but i think this is a standard attribute but can not confirm as believe it should be confirmed by SailPoint colleagues.
Although I found this post where the mention of same attribute is there one of the comments which you can check;
I addition to that I would suggest you to either check with SailPoint support regarding if we can use this attribute or may be just a give a quick try by adding some static attribute create policy and then add that attribute in this block in source json and see if AD provisioning is working fine. I also see in the above post that it is mentioned that we can use this attribute even in other connectors too so i think this could be helpful.
What error are you receiving in the rule validator ? Is it related to method not available ?
I am not sure what is the use of this method trimToNull? Also, I can not find stringUtils library in the java documents either i am missing something or it has been replaced with utils lib as i can see lot of string related method in this library e.g. trimWhitespace.
So if you know the use of this method, i suggest you can just use your own logic in the rule to make similar function. e.g. if it performing the trim operation on input, then you can try to use the standard trim operation or use utils.trimWhitespace(inputToRule), may be this will help.
Could not retrieve definition for variable name 'replaced_LastName'
String lastName = StringUtils .trimToNull ( inputToRule )
this was the error returned by rule validator. Not accepting the inputToRule reference (expecting a variable named inputTo Rule), any idea on what should be done?
Also, there is no problem StringUtils .trimToNull. There is no error in this.
The error message states for replaced_LastName, can you please check if this variable is present in your code and not initialized properly ?
I also see a space between StringUtils and trimToNull and the parameters passed but probably that is an issue while writing the code here.
If it is pointing to the same line of code where you are using trimToNull, then most likely this method method internally creates a new variable replaced_LastName and returns it and probably can throw this error if inputToRule is null. Can you please try below perhaps
The same error repeats even modifying the code. I think the rule validator is not accepting it. It’s expecting the variable to be declared inside the rule.
I believe the method will be acceptable but the rule will not be deployed unless the validator confirms it. So in my opinion you can either check with sailPoint support if they can help in deploying the rule atleast in your non-prod tenant. Otherwise then you can go for approach 1 as I mentioned above where you can then read the lastname from identity and then read the regEX expressions from the source and then loop over them and apply them, that should do the trick for you.
I think 1st approach will not be suitable as per our requirement. We would have two ways,
3rd approach - which you mentioned or handling all these requirements directly inside rule.
Yes, I think you can still apply 1st approach as i see only regEX validation done there so i was thinking of doing something like below;
Map regExExpressionsToBeChecked= application.getAttributeName("regExExpressionsToBeChecked");
String lastName = identity.getAttribute("LastName");
for(currentMap:regExExpressionsToBeChecked)
{
// check for regEx to match if lastName matches then replace them to form the
}
But this approach anyways needs you to write your custom rule so agree you can go for approach 3. You can then use the same logic here as mentioned in approach 1 so that if you need to extend the regEX expressions then you do not need to redeploy the rule. You can just update source configuration and then rule should pick up that.
.
