Rule in Transform

imspurohit7991 · July 30, 2024, 10:40am

Hey all,

I am trying to use below conditional transform in Provisioning Policy in which there is a rule to run (if condition matches), but it is not working. Can someone please tell a better approach for the same?

{
     "name": "sAMAccountName",
     "transform": {
       "attributes": {
         "expression": "$usertype eq out",
         "positiveCondition": "$ABCuser",
         "negativeCondition": "$DEFuser",
         "usertype": {
           "attributes": {
             "name": "usertype"
           },
           "type": "identityAttribute"
         },
         "ABCuser": {
           "type": "identityAttribute",
           "attributes": {
             "name": "abcusername"
           }
         },
         "DEFuser": {
           "attributes": {
             "name": "Rule-AttributeGenerator-GenerateUsername"
           },
           "type": "rule"
         }
       },
       "type": "conditional"
     },
     "attributes": {},
     "isRequired": false,
     "type": "string",
     "isMultiValued": false
}

naveenkarthikkrk · July 30, 2024, 11:04am

Hi @imspurohit7991 ,
This looks fine ,What’s the error or output you are getting.

iamnithesh · July 30, 2024, 11:10am

In my opinion Attribute Generator rules are supposed to be used for Identity Attributes. To use in a transform you need a generic type rule

phil_awlings · July 30, 2024, 11:12am

I’d probably stick in a firstVaild argument for $usertype to catch any errors:

{
  "name": "sAMAccountName",
  "transform": {
    "type": "conditional",
    "attributes": {
      "expression": "$usertype eq out",
      "positiveCondition": "$ABCuser",
      "negativeCondition": "$DEFuser",
      "usertype": {
        "type": "firstValid",
        "attributes": {
          "values": [
            {
              "type": "identityAttribute",
              "attributes": {
                "name": "usertype"
              }
            },
            "XXX"
          ],
          "ignoreErrors": false
        }
      },
      "ABCuser": {
        "type": "identityAttribute",
        "attributes": {
          "name": "abcusername"
        }
      },
      "DEFuser": {
        "type": "rule",
        "attributes": {
          "name": "Rule-AttributeGenerator-GenerateUsername"
        }
      }
    }
  },
  "attributes": {},
  "isRequired": false,
  "type": "string",
  "isMultiValued": false
}

Also, don’t forget to encase any code in these: ```

imspurohit7991 · July 30, 2024, 11:12am

Access request (Create Operation via entitlement request) not getting triggered while applying it in Provisioning Policy.

naveenkarthikkrk · July 30, 2024, 11:20am

The issue is with the request centre ,While requesting entitlement it is not triggering ,it could be a bug.Try attaching the entitlement with an access profile and request the access profile.It will work for you!!
Try it Saurav.
Thanks!!

vdivakar · July 30, 2024, 2:28pm

@imspurohit7991 , I suggest exploring “Create Unique LDAP Attribute” rule and find a workaround.

You could do following,

in “abcusername” identity attribute, calculate value of username based on the usertype value.
You could use conditional transform, if usertype is equal to “out” then value should be some value from account attribute, if usertype is something else, then calculate a base value of sAmAccountname, e.g. firstname.lastname
The in provisioning policy, you could do something like this to calculate sAMAccountName

{
                "name": "sAMAccountName",
                "transform": {
                    "type": "rule",
                    "attributes": {
                        "name": "Create Unique LDAP Attribute"
                    }
                },
                "attributes": {
                    "template": "$(abcusername)$(uniqueCounter)",
                    "cloudMaxUniqueChecks": "50",
                    "cloudMaxSize": "100",
                    "cloudRequired": "true"
                },
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            }

This will ensure that sAMAcouuntName will always be calculated and will be unique.

Let me know if it makes sense, feel free to ping me if you need more clarity.

Thanks,
Vaibhav

imspurohit7991 · August 6, 2024, 8:40am

Hi @iamnithesh I have added Generic Rule in place of Attribute Generator, still I am unable to raise Access Request (not getting triggered).

{
     "name": "sAMAccountName",
     "transform": {
       "attributes": {
         "expression": "$usertype eq out",
         "positiveCondition": "$ABCuser",
         "negativeCondition": "$DEFuser",
         "usertype": {
           "attributes": {
             "name": "usertype"
           },
           "type": "identityAttribute"
         },
         "ABCuser": {
           "type": "identityAttribute",
           "attributes": {
             "name": "abcusername"
           }
         },
         "DEFuser": {
           "attributes": {
             "name": "Rule-Generic-GenerateUsername"
           },
           "type": "rule"
         }
       },
       "type": "conditional"
     },
     "attributes": {},
     "isRequired": false,
     "type": "string",
     "isMultiValued": false
}

iamnithesh · August 6, 2024, 11:58am

you are using the file name here. Just use “GenerateUsername” instead of “Rule-Generic-GenerateUsername”

varshini303 · August 6, 2024, 5:20pm

Hi @imspurohit7991

The create account request is not getting triggered for any of the identities you tried? I believe you are requesting for an identity that does not have account in the target. The create operation will not get triggered if the sAMAccountName generated is not unique which means the account exists in the target. You can once check your rule logic if it generates unique username and the identity attribute “abcusername” is also unique. And ensure to define the correct rule name in the policy.

sup3rmark · August 7, 2024, 2:04pm

i think the issue is one of syntax.

Saurav Purohit:

{
     "name": "sAMAccountName",
     "transform": {            <---doesn't belong
       "attributes": {  ...  }
     },
     "attributes": {},
     "isRequired": false,
     "type": "string",
     "isMultiValued": false
}

"transform": {...} isn’t a key that should be there. everything you have inside the transform block should be moved to the currently-empty attributes block, and remove the "transform": {}.

see the examples on the conditional transform primitive page.

phil_awlings · August 23, 2024, 10:02am

@sup3rmark
The “transform” line is required when it is part of the CREATE profile in source provisioning. ie:

        {
            "name": "sAMAccountName",
            "transform": {
                "type": "rule",
                "attributes": {
                    "name": "Create Unique LDAP Attribute"
                }
            },
            "attributes": {
                "template": "$(samaccountnameCalculate)$(uniqueCounter)",
                "cloudMaxUniqueChecks": "10",
                "cloudMaxSize": "20",
                "cloudRequired": "true"
            },
            "isRequired": true,
            "type": "string",
            "isMultiValued": false
        }

Topic		Replies	Views
Condition in Transform is not working ISC Discussion and Questions transforms , identity-security-cloud , provisioning	13	927	June 23, 2023
Provisioning Policy with Transform ISC Discussion and Questions transforms , identity-security-cloud , provisioning	3	347	February 17, 2024
Username Generator transform in Enable Provisioning Policy ISC Discussion and Questions transforms , identity-security-cloud , provisioning	8	297	May 10, 2024
Reusing transform rule result in other transforms within the same provisioning policy ISC Discussion and Questions transforms , rules , identity-security-cloud , provisioning	4	110	July 27, 2024
Conditional Transform ISC Discussion and Questions identity-security-cloud	13	518	March 13, 2024

Rule in Transform

Related Topics