Rule in Transform

Hey all,

I am trying to use below conditional transform in Provisioning Policy in which there is a rule to run (if condition matches), but it is not working. Can someone please tell a better approach for the same?

{
     "name": "sAMAccountName",
     "transform": {
       "attributes": {
         "expression": "$usertype eq out",
         "positiveCondition": "$ABCuser",
         "negativeCondition": "$DEFuser",
         "usertype": {
           "attributes": {
             "name": "usertype"
           },
           "type": "identityAttribute"
         },
         "ABCuser": {
           "type": "identityAttribute",
           "attributes": {
             "name": "abcusername"
           }
         },
         "DEFuser": {
           "attributes": {
             "name": "Rule-AttributeGenerator-GenerateUsername"
           },
           "type": "rule"
         }
       },
       "type": "conditional"
     },
     "attributes": {},
     "isRequired": false,
     "type": "string",
     "isMultiValued": false
}

Hi @imspurohit7991 ,
This looks fine ,What’s the error or output you are getting.

In my opinion Attribute Generator rules are supposed to be used for Identity Attributes. To use in a transform you need a generic type rule

I’d probably stick in a firstVaild argument for $usertype to catch any errors:

{
  "name": "sAMAccountName",
  "transform": {
    "type": "conditional",
    "attributes": {
      "expression": "$usertype eq out",
      "positiveCondition": "$ABCuser",
      "negativeCondition": "$DEFuser",
      "usertype": {
        "type": "firstValid",
        "attributes": {
          "values": [
            {
              "type": "identityAttribute",
              "attributes": {
                "name": "usertype"
              }
            },
            "XXX"
          ],
          "ignoreErrors": false
        }
      },
      "ABCuser": {
        "type": "identityAttribute",
        "attributes": {
          "name": "abcusername"
        }
      },
      "DEFuser": {
        "type": "rule",
        "attributes": {
          "name": "Rule-AttributeGenerator-GenerateUsername"
        }
      }
    }
  },
  "attributes": {},
  "isRequired": false,
  "type": "string",
  "isMultiValued": false
}

Also, don’t forget to encase any code in these: ```

1 Like

Access request (Create Operation via entitlement request) not getting triggered while applying it in Provisioning Policy.

The issue is with the request centre ,While requesting entitlement it is not triggering ,it could be a bug.Try attaching the entitlement with an access profile and request the access profile.It will work for you!!
Try it Saurav.
Thanks!!

1 Like

@imspurohit7991 , I suggest exploring “Create Unique LDAP Attribute” rule and find a workaround.

You could do following,

  1. in “abcusername” identity attribute, calculate value of username based on the usertype value.
  2. You could use conditional transform, if usertype is equal to “out” then value should be some value from account attribute, if usertype is something else, then calculate a base value of sAmAccountname, e.g. firstname.lastname
  3. The in provisioning policy, you could do something like this to calculate sAMAccountName
{
                "name": "sAMAccountName",
                "transform": {
                    "type": "rule",
                    "attributes": {
                        "name": "Create Unique LDAP Attribute"
                    }
                },
                "attributes": {
                    "template": "$(abcusername)$(uniqueCounter)",
                    "cloudMaxUniqueChecks": "50",
                    "cloudMaxSize": "100",
                    "cloudRequired": "true"
                },
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            }

This will ensure that sAMAcouuntName will always be calculated and will be unique.

Let me know if it makes sense, feel free to ping me if you need more clarity.

Thanks,
Vaibhav

Hi @iamnithesh I have added Generic Rule in place of Attribute Generator, still I am unable to raise Access Request (not getting triggered).

{
     "name": "sAMAccountName",
     "transform": {
       "attributes": {
         "expression": "$usertype eq out",
         "positiveCondition": "$ABCuser",
         "negativeCondition": "$DEFuser",
         "usertype": {
           "attributes": {
             "name": "usertype"
           },
           "type": "identityAttribute"
         },
         "ABCuser": {
           "type": "identityAttribute",
           "attributes": {
             "name": "abcusername"
           }
         },
         "DEFuser": {
           "attributes": {
             "name": "Rule-Generic-GenerateUsername"
           },
           "type": "rule"
         }
       },
       "type": "conditional"
     },
     "attributes": {},
     "isRequired": false,
     "type": "string",
     "isMultiValued": false
}

you are using the file name here. Just use “GenerateUsername” instead of “Rule-Generic-GenerateUsername”

Hi @imspurohit7991

The create account request is not getting triggered for any of the identities you tried? I believe you are requesting for an identity that does not have account in the target. The create operation will not get triggered if the sAMAccountName generated is not unique which means the account exists in the target. You can once check your rule logic if it generates unique username and the identity attribute “abcusername” is also unique. And ensure to define the correct rule name in the policy.

i think the issue is one of syntax.

"transform": {...} isn’t a key that should be there. everything you have inside the transform block should be moved to the currently-empty attributes block, and remove the "transform": {}.

see the examples on the conditional transform primitive page.

@sup3rmark
The “transform” line is required when it is part of the CREATE profile in source provisioning. ie:

        {
            "name": "sAMAccountName",
            "transform": {
                "type": "rule",
                "attributes": {
                    "name": "Create Unique LDAP Attribute"
                }
            },
            "attributes": {
                "template": "$(samaccountnameCalculate)$(uniqueCounter)",
                "cloudMaxUniqueChecks": "10",
                "cloudMaxSize": "20",
                "cloudRequired": "true"
            },
            "isRequired": true,
            "type": "string",
            "isMultiValued": false
        }

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.