Rule in transform not populating correct data

mpotti · February 4, 2025, 8:39pm

I have run into a snag with this transform. I need to do a look up on rule getReferenceIdentityAttribute in order to extrach EEID for manager so that it shows properly on cube. I can have this transform either populate none or the email address of the manager. It appears that when looking at the rule that it is not doing the look up as I would expect it to. When this rule is applied directly to the identiy profile it works without issue. What I am struggling with is being able to pass the secZettaManager into the rule so that it can do the look up. When looking at the documentation there is nothing on this exact use case on how I would go about doing it. Any ideas on how I can the desired results?

Transform:

{
    "id": "REMOVED",
    "name": "Calculate DualSource Manager 2",
    "type": "static",
    "attributes": {
        "workdayTerm": {
            "attributes": {
                "values": [
                    {
                        "attributes": {
                            "attributeName": "TERMINATED__c",
                            "sourceName": "Workday Production Sandbox"
                        },
                        "type": "accountAttribute"
                    },
                    "none"
                ]
            },
            "type": "firstValid"
        },
        "secZettaManager": {
            "attributes": {
                "values": [
                    {
                        "attributes": {
                            "attributeName": "manager_email",
                            "sourceName": "SecZetta"
                        },
                        "type": "accountAttribute"
                    },
                    "none"
                ]
            },
            "type": "firstValid"
        },
        "secZettaManagerID": {
            "attributes": {
                "values": [
                    {
                        "attributes": {
                            "name": "Cloud Services Deployment Utility",
                            "operation": "getReferenceIdentityAttribute",
                            "uid": "manager",
                            "attributeName": "identificationNumber",
                            "input": {
                                "value": "$secZettaManager"
                            }
                        },
                        "type": "rule"
                    },
                    "none"
                ]
            },
            "type": "firstValid"
        },
        "workdayManager": {
            "attributes": {
                "ignoreErrors": "true",
                "values": [
                    {
                        "attributes": {
                            "attributeName": "Manager UserID__c",
                            "sourceName": "Workday Production Sandbox"
                        },
                        "type": "accountAttribute"
                    },
                    "none"
                ]
            },
            "type": "firstValid"
        },
        "value": "#if($workdayTerm.equals(\"1\"))$secZettaManagerID#{else}$workdayManager#end"
    },
    "internal": false
}

Screen Print of SecZetta Source Config:

Transform Referenced in Config:

{
    "id": "Removed",
    "name": "Transform - ManagerEmployeeNumber - SecZetta",
    "type": "rule",
    "attributes": {
        "name": "Cloud Services Deployment Utility",
        "operation": "getReferenceIdentityAttribute",
        "uid": "manager",
        "attributeName": "identificationNumber"
    },
    "internal": false
}

Output in Identity Profile:

{A341871A-FBE0-4BC0-ACE4-1FFEBC72AF8B} pecting?

JackSparrow · February 5, 2025, 5:06am

HI @mpotti , I don’t think its required to give input in the transform rule which is to reference the manager to get the ID.

                     "attributes": {
                            "name": "Cloud Services Deployment Utility",
                            "operation": "getReferenceIdentityAttribute",
                            "uid": "manager",
                            "attributeName": "identificationNumber",
                            "input": {
                                "value": "$secZettaManager"
                            }

Can you try by removing the input field.

                      "attributes": {
                            "name": "Cloud Services Deployment Utility",
                            "operation": "getReferenceIdentityAttribute",
                            "uid": "manager",
                            "attributeName": "identificationNumber",
                            }

mpotti · February 5, 2025, 12:23pm

if I remove the input block I get the following:

{14198200-3507-4605-ACE0-EB859B9D2788}

If I remove the first valid part of the secZettaManagerId block I get the following:

Updated variable:

        "secZettaManagerID": {
            "type": "rule",
            "attributes": {
                "name": "Cloud Services Deployment Utility",
                "operation": "getReferenceIdentityAttribute",
                "uid": "manager",
                "attributeName": "identificationNumber"
            }
        },

mpotti · February 5, 2025, 6:20pm

Here is something other things I have tried to get this to work. Every one came back erroring out around the secZettaManagerId variable.

"secZettaManagerID": {
    "type": "rule",
    "attributes": {
        "name": "Cloud Services Deployment Utility",
        "operation": "getReferenceIdentityAttribute",
        "uidAttributeName": "manager_email",
        "uidAttributeSource": "SecZetta",
        "attributeName": "identificationNumber"
    }
}

"secZettaManagerID": {
    "type": "rule",
    "attributes": {
        "name": "Cloud Services Deployment Utility",
        "operation": "getIdentityAttribute",
        "identityName": {
            "type": "rule",
            "attributes": {
                "name": "Cloud Services Deployment Utility",
                "operation": "getIdentityName",
                "attributeName": "manager_email",
                "attributeSource": "SecZetta"
            }
        },
        "attributeName": "identificationNumber"
    }
}

"secZettaManagerID": {
    "type": "rule",
    "attributes": {
        "name": "Cloud Services Deployment Utility",
        "operation": "getIdentityProperty",
        "identityName": {
            "type": "rule",
            "attributes": {
                "name": "Cloud Services Deployment Utility",
                "operation": "getIdentityName",
                "attributeName": "manager_email",
                "attributeSource": "SecZetta"
            }
        },
        "propertyName": "identityName"
    }
}

"secZettaManagerID": {
    "type": "rule",
    "attributes": {
        "name": "Cloud Services Deployment Utility",
        "operation": "getReferenceIdentityAttribute",
        "uid": "$secZettaManager",
        "attributeName": "identificationNumber"
    }
}

"attributes": {
        "workdayTerm": {
            "attributes": {
                "values": [
                    {
                        "attributes": {
                            "attributeName": "TERMINATED__c",
                            "sourceName": "Workday Production Sandbox"
                        },
                        "type": "accountAttribute"
                    },
                    "none"
                ]
            },
            "type": "firstValid"
        },
        "secZettaManager": {
            "attributes": {
                "values": [
                    {
                        "attributes": {
                            "attributeName": "manager_email",
                            "sourceName": "SecZetta"
                        },
                        "type": "accountAttribute"
                    },
                    "none"
                ]
            },
            "type": "firstValid"
        },
        "secZettaManagerID": {
            "type": "rule",
            "attributes": {
                "name": "Cloud Services Deployment Utility",
                "operation": "getIdentityAttribute",
                "identityName": "$secZettaManager",
                "attributeName": "identificationNumber"
            }
        },
        "workdayManager": {
            "attributes": {
                "ignoreErrors": "true",
                "values": [
                    {
                        "attributes": {
                            "attributeName": "Manager UserID__c",
                            "sourceName": "Workday Production Sandbox"
                        },
                        "type": "accountAttribute"
                    },
                    "none"
                ]
            },
            "type": "firstValid"
        },
        "value": "#if($workdayTerm.equals(\"1\"))$secZettaManagerID#{else}$workdayManager#end"
    }

"attributes": {
        "workdayTerm": {
            "attributes": {
                "values": [
                    {
                        "attributes": {
                            "attributeName": "TERMINATED__c",
                            "sourceName": "Workday Production Sandbox"
                        },
                        "type": "accountAttribute"
                    },
                    "none"
                ]
            },
            "type": "firstValid"
        },
        "secZettaManager": {
            "attributes": {
                "values": [
                    {
                        "attributes": {
                            "attributeName": "manager_email",
                            "sourceName": "SecZetta"
                        },
                        "type": "accountAttribute"
                    },
                    "none"
                ]
            },
            "type": "firstValid"
        },
        "managerIdentityName": {
            "type": "rule",
            "attributes": {
                "name": "Cloud Services Deployment Utility",
                "operation": "getIdentityName",
                "attributeName": "manager_email",
                "attributeSource": "SecZetta"
            }
        },
        "secZettaManagerID": {
            "type": "rule",
            "attributes": {
                "name": "Cloud Services Deployment Utility",
                "operation": "getIdentityAttribute",
                "identityName": "$managerIdentityName",
                "attributeName": "identificationNumber"
            }
        },
        "workdayManager": {
            "attributes": {
                "ignoreErrors": "true",
                "values": [
                    {
                        "attributes": {
                            "attributeName": "Manager UserID__c",
                            "sourceName": "Workday Production Sandbox"
                        },
                        "type": "accountAttribute"
                    },
                    "none"
                ]
            },
            "type": "firstValid"
        },
        "value": "#if($workdayTerm.equals(\"1\"))$secZettaManagerID#{else}$workdayManager#end"
    }

"attributes": {
        "workdayTerm": {
            "attributes": {
                "values": [
                    {
                        "attributes": {
                            "attributeName": "TERMINATED__c",
                            "sourceName": "Workday Production Sandbox"
                        },
                        "type": "accountAttribute"
                    },
                    "none"
                ]
            },
            "type": "firstValid"
        },
        "secZettaManager": {
            "attributes": {
                "values": [
                    {
                        "attributes": {
                            "attributeName": "manager_email",
                            "sourceName": "SecZetta"
                        },
                        "type": "accountAttribute"
                    },
                    "none"
                ]
            },
            "type": "firstValid"
        },
        "workdayManager": {
            "attributes": {
                "ignoreErrors": "true",
                "values": [
                    {
                        "attributes": {
                            "attributeName": "Manager UserID__c",
                            "sourceName": "Workday Production Sandbox"
                        },
                        "type": "accountAttribute"
                    },
                    "none"
                ]
            },
            "type": "firstValid"
        },
        "value": "#if($workdayTerm.equals(\"1\"))${identityAttributes.getIdentityAttribute(\"identificationNumber\", sailpoint.tools.Util.getIdentityName($secZettaManager, \"SecZetta\"))}#{else}$workdayManager#end"
    }

 "attributes": {
        "workdayTerm": {
            "attributes": {
                "values": [
                    {
                        "attributes": {
                            "attributeName": "TERMINATED__c",
                            "sourceName": "Workday Production Sandbox"
                        },
                        "type": "accountAttribute"
                    },
                    "none"
                ]
            },
            "type": "firstValid"
        },
        "secZettaManager": {
            "attributes": {
                "values": [
                    {
                        "attributes": {
                            "attributeName": "manager_email",
                            "sourceName": "SecZetta"
                        },
                        "type": "accountAttribute"
                    },
                    "none"
                ]
            },
            "type": "firstValid"
        },
        "workdayManager": {
            "attributes": {
                "ignoreErrors": "true",
                "values": [
                    {
                        "attributes": {
                            "attributeName": "Manager UserID__c",
                            "sourceName": "Workday Production Sandbox"
                        },
                        "type": "accountAttribute"
                    },
                    "none"
                ]
            },
            "type": "firstValid"
        },
        "value": "#if($workdayTerm.equals(\"1\"))#set($managerIdentity = $sailpoint.tools.Util.getIdentity($secZettaManager, \"SecZetta\"))#if($managerIdentity)${managerIdentity.getObjectValue(\"identificationNumber\")}#end#{else}$workdayManager#end"
    }

"attributes": {
        "workdayTerm": {
            "attributes": {
                "values": [
                    {
                        "attributes": {
                            "attributeName": "TERMINATED__c",
                            "sourceName": "Workday Production Sandbox"
                        },
                        "type": "accountAttribute"
                    },
                    "none"
                ]
            },
            "type": "firstValid"
        },
        "secZettaManager": {
            "attributes": {
                "values": [
                    {
                        "attributes": {
                            "attributeName": "manager_email",
                            "sourceName": "SecZetta"
                        },
                        "type": "accountAttribute"
                    },
                    "none"
                ]
            },
            "type": "firstValid"
        },
        "workdayManager": {
            "attributes": {
                "ignoreErrors": "true",
                "values": [
                    {
                        "attributes": {
                            "attributeName": "Manager UserID__c",
                            "sourceName": "Workday Production Sandbox"
                        },
                        "type": "accountAttribute"
                    },
                    "none"
                ]
            },
            "type": "firstValid"
        },
        "value": "#if($workdayTerm.equals(\"1\"))#set($managerIdentityName = $sailpoint.tools.Util.getIdentityName($secZettaManager, \"SecZetta\"))#if($managerIdentityName)#set($managerIdentity = $sailpoint.context.getObjectByName(\"Identity\", $managerIdentityName))#if($managerIdentity)$managerIdentity.getAttribute(\"identificationNumber\").getValue()#end#end#{else}$workdayManager#end"
    }

"attributes": {
        "workdayTerm": {
            "attributes": {
                "values": [
                    {
                        "attributes": {
                            "attributeName": "TERMINATED__c",
                            "sourceName": "Workday Production Sandbox"
                        },
                        "type": "accountAttribute"
                    },
                    "none"
                ]
            },
            "type": "firstValid"
        },
        "secZettaManager": {
            "attributes": {
                "values": [
                    {
                        "attributes": {
                            "attributeName": "manager_email",
                            "sourceName": "SecZetta"
                        },
                        "type": "accountAttribute"
                    },
                    "none"
                ]
            },
            "type": "firstValid"
        },
        "workdayManager": {
            "attributes": {
                "ignoreErrors": "true",
                "values": [
                    {
                        "attributes": {
                            "attributeName": "Manager UserID__c",
                            "sourceName": "Workday Production Sandbox"
                        },
                        "type": "accountAttribute"
                    },
                    "none"
                ]
            },
            "type": "firstValid"
        },
        "value": "#if($workdayTerm.equals(\"1\"))#set($managerIdentity = $identityById($secZettaManager))#if($managerIdentity)${managerIdentity.attributes.identificationNumber}#end#{else}$workdayManager#end"
    }

"attributes": {
        "workdayTerm": {
            "attributes": {
                "values": [
                    {
                        "attributes": {
                            "attributeName": "TERMINATED__c",
                            "sourceName": "Workday Production Sandbox"
                        },
                        "type": "accountAttribute"
                    },
                    "none"
                ]
            },
            "type": "firstValid"
        },
        "secZettaManager": {
            "attributes": {
                "values": [
                    {
                        "attributes": {
                            "attributeName": "manager_email",
                            "sourceName": "SecZetta"
                        },
                        "type": "accountAttribute"
                    },
                    "none"
                ]
            },
            "type": "firstValid"
        },
        "workdayManager": {
            "attributes": {
                "ignoreErrors": "true",
                "values": [
                    {
                        "attributes": {
                            "attributeName": "Manager UserID__c",
                            "sourceName": "Workday Production Sandbox"
                        },
                        "type": "accountAttribute"
                    },
                    "none"
                ]
            },
            "type": "firstValid"
        },
        "value": "#if($workdayTerm.equals(\"1\"))#set($managerIdentity = $sailpoint.tools.Util.getIdentityFromName($secZettaManager))#if($managerIdentity)${managerIdentity.attributes.identificationNumber}#end#{else}$workdayManager#end"
    }

mpotti · February 5, 2025, 6:31pm

I also tried taking another approach to solve this issue. I tried adding an attribute to the identity profile to map the value to. But because not every Workday user has a SecZetta account it ended putting a lot of identities in an error state. The idea was to mirror what the SecZetta Identity Profile has and then pull that information and populate it. Due to the large number of error on the the identities I have removed the transform from the attribute. This was also a fail.

zachm117 · February 21, 2025, 2:55pm

Hey Mark,

Not sure if you are still looking for an answer, but I stumbled upon this and figured I’d try to help a bit.

As I understand it, the getReferenceIdentityAttribute transform operation doesn’t take any input and instead relies on the uid to know which identity cube to lookup. “manager” can be used instead of providing an actual uid value, but that is just going to look at the identity cube of the manager that is correlated to the identity. Since an identity can only have one manger identity correlated to them at a time, this rule will always try to get the value from that correlated manager.

Perhaps you might be better off looking at the manager correlation logic to have IDN decide which manager to correlate to the identity and just have this transform on the identity profile use the “basic” transform that was working for you to get the manager email.

Hope this helps!

Zach

system · April 22, 2025, 2:55pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Transform - getReferenceIdentityAttribute manager ID not working ISC Discussion and Questions transforms , identity-security-cloud , provisioning	7	164	August 26, 2025
Get identity's manager's manager when Identity's manager lifecycleState is inactive ISC Discussion and Questions transforms , identity-security-cloud	7	183	April 5, 2025
Trying to use reference type transform with in Cloud Services Deployment Utility/getReferenceIdentityAttribute rule ISC Discussion and Questions transforms , rules	1	636	July 19, 2023
Transform to get a managers UPN ISC Discussion and Questions transforms , identity-security-cloud	23	404	July 31, 2024
Regarding Taking Manager value from different sources depending on a flag attribute ISC Discussion and Questions transforms , identity-security-cloud	6	69	June 27, 2025

Rule in transform not populating correct data

Transform:

Screen Print of SecZetta Source Config:

Transform Referenced in Config:

Output in Identity Profile:

Related topics