"samaccountname" identity attribute generation

Hello everybody!
I hope y’all doing great, thanks for all your help and support you have been providing.

So, we have experiencing issues with samaccountname generation in the past, so I came up with a cloud rule that essentially generated the samaccountname:


So, whenever the user is added into our HR system, birthright role is assigned and an account in AD is created with samaccountname, which is then used for populating identity attribute “samaccountname”:

The issue with this set up arose when we tried to use samaccountname identity attribute for account creation in other applications, for example our ITSM solution, which requires networkusername(samaccountname). Accounts are being created at the same time for AD and ITSM, and networkusername account attribute is not being populated, because samaccountname has not been generated at that point.
So, I am a little lost, here. I have a couple of ideas, but I have some questions.
for your reference, newSamaccountnameGenerator Rule:

int maxIteration = 100;
public String generateUsername ( String firstName,  String lastName, String middleName, int iteration ) {
 
  // Data protection.
  firstName = StringUtils.trimToNull( firstName );
  lastName = StringUtils.trimToNull( lastName );
  middleName = StringUtils.trimToNull(middleName);
  if ( ( firstName == null ) || ( lastName == null ) )
  return null;
 
  // This will hold the final username;
  String username = null;
  //log.info(firstName, lastName, middleName);
  if (middleName == null){
      username = StringUtils.substring(lastName, 0, 6) + StringUtils.substring(firstName, 0, 1);
      if(iteration > 0){
        username = username + Integer.toString(iteration);
      }
  }
  else{
      username =  StringUtils.substring(lastName, 0, 6) + StringUtils.substring(firstName, 0, 1) + StringUtils.substring(middleName, 0, 1);
      if(iteration > 0){
        username = username + Integer.toString(iteration);
      }
  }
 
  if ( isUnique ( username ) )
    return username;
  else if ( iteration < maxIteration )
    return generateUsername ( firstName,  lastName, middleName, ( iteration + 1 ) );
  else
    return null;
  
}
 
public boolean isUnique ( String username ) throws GeneralException {
  return !idn.accountExistsByDisplayName(application.getName(), username);
}
 
return generateUsername( identity.getFirstname(), identity.getLastname(), identity.getStringAttribute("middleName"), 0 );

My initial idea was just using this rule in account creation, but it might be an issue, because isUnique function is checking if the account exists in specific source. So, for example, if samaccountname generated in AD would be Ibrahim1 (because somebody already have Ibrahim as samaccountname in AD), ITSM source could generate networkusername(which should match samaccountname) as Ibrahim, because not everybody has the same access to sources, and the person who has Ibrahim in AD might not have access to ITSM.
Another idea was to use a complex first valid transform in identity profile, something like:

{
    "attributes": {
      "values": [
        {
          "attributes": {
            "sourceName": "Active Directory UAT",
            "attributeName": "sAMAccountName"
          },
          "type": "accountAttribute"
        },
        {
          "attributes": {
            "name": "NewSamAccountNameGenerator"
          },
          "type": "rule"
        }
       
      ]
    },
    "type": "firstValid",
    "name": "SamAccountName First Valid Transform"
  }

But I am not sure if I need to reuse the rule here. Please, need advice.

@pulatoi You can also try something below update AD sourceId. Hope it might help

{
  "type": "firstValid",
    "attributes": {
        "values": [
            {
                "type": "static",
                "attributes": {
                    "value": "$identity.getLinksByAppIdOrName("<AD sourceid>",null\")[0].sAMAccountName"
                }
            },
            null
        ],
        "ignoreErrors": true
    }
}

Hi Ibrahim,

Are you creating ITSM accounts by using a Birthright Role?
If so, a simple solution is to add an additional condition to your role so that it will not trigger the ITSM account creation until AD is created. One example I’ve used before is having the mail generation happen at the time of the AD account creation, and then adding a filter to birthright roles with this dependency to check if the email contains “@”.

Hope this helps!
Thanks,
Margo

1 Like

Hey Margo,
Thanks for reply. It’s a good idea; I will definitely incorporate it. I also need to think about other Roles, which include entitlements from other sources who require samaccountname in provisioning plan. I was thinking about attrbiute sync as a third option, but wanted to see if we can do something with transforms or rules.

Hey Sagar,
Thanks a lot. I will try and test it today and let you know, but from what I can see, most likely it will return null, because there would be no samaccountname to lookup in case of a new hire

Hi @pulatoi ,
As @margocbain mentioned you may need to add additional condition on the Birthright Role for other applications including ITSM.
If you are using email populated from identity profile then you might end-up with same issue. If you are generating userprinciplename using Sam account name, then use Account attribute UPN contains ‘@’ so that the role will wait for the UPN to generate using samaccountname

Thanks
V

Hello,

I would recommend to use firstValid Transform where the priority should be given to sAMAccountName attribute for AD and then you should populated a Static value as “UnKnown”. In this way, when the AD account is created, the identity processing will change the SamAccountName - identity attribute from Unknown to Actual Generated SamAccount Name from AD and then, respective provisioning will be triggered for other dependent downstream systems.

And, in the Birth Right Roles of other downstream systems which are dependent on SamAccountName value, just mentioned in the Criteria that “Identity Attribute → SamAccountName UnKnown”

Example of the transform is.

{
    "name": "Get sAMAccountName",
    "type": "firstValid",
    "attributes": {
        "values": [
            {
                "attributes": {
                    "attributeName": "sAMAccountName",
                    "sourceName": "AD Dev"
                },
                "type": "accountAttribute"
            },
            "Unknown"
        ]
    },
    "internal": false
}

To conclude,

when the identity will be onboarded initially, the Identity Attribute Named as “SamAccountName” will have value as “UnKnown” and post AD account creation, the identity attribute will change to Actual SamAccountName which will trigger the other downstream system provisioning.