Transform to calculate if an identity is a manager

Arshad · April 23, 2024, 5:13pm

Hi All,

I’m trying to achieve a use-case where I’ve created a new identity attribute called “isManager” in the Identity Profile. I want to write a transform logic which would calculate if that identity is a manager or not? Later, I want to use this identity attribute as a membership criteria for a role, which only needs to be assigned to managers as birthright.

Is there any OOTB functionality or a “Cloud Services Deployment Utility” based transform that I can leverage for this?

I know that ISC can calculate if an identity is a manager from search using the query “isManager:true”. Is there a similar possibility to leverage this in transforms as well?

Thanks,
Arshad.

ipobeidi · April 23, 2024, 5:25pm

Maybe you can Achieve this using the following transform and Rule on ISC:

[REDACTED]

Got to test it see if works!

Arshad · April 23, 2024, 5:38pm

Hey @ipobeidi
I’m also trying to understand how this transform would work, when the identity attribute itself on which this transform would be applied is “isManager” ? And the reference is also pointing to the same.

ipobeidi · April 23, 2024, 5:42pm

Yeah it does not seem to work. My bad.
This is a lsot opportunity for Sailpoint, we could query whatever we want with the QueryOptions.

else {
    		QueryOptions qo = new QueryOptions();
	    	qo.addFilter(Filter.eq("uid", uid));
	    	Iterator it = context.search(Identity.class, qo);
	    	if (it.hasNext()) {
	    		Identity user = (Identity) it.next();
	    		if(user != null) {
	    			return (String) user.getAttribute(attributeName);
	    		}
	    	}
	    	else {
		        return null;
	    	}
    	}
    }

Maybe create a IDN source to just query this info and pull from it?

-Ivan

kwhipple · April 23, 2024, 5:52pm

{
“name”: “isManager”,
“type”: “static”,
“attributes”: {
“value”: “$identity.managerStatus”
}
}

tyler_mairose · April 23, 2024, 5:54pm

^ What he said

Hey @Arshad,

You can use this to get the true/false value back in a transform:

{
    "name": "Identity is manager",
    "type": "static",
    "attributes": {
        "value": "$identity.getManagerStatus()"
    }
}

ipobeidi · April 23, 2024, 5:56pm

I imagined that this was blocked on the Static, but i guess we can query identity then

tyler_mairose · April 23, 2024, 6:00pm

There is quite a bit you can do with the $identity context. I’ve written a doc on it here

Really anything in the sailpoint.object.Identity class is supported right now. You can look at the java docs here for those methods.

kwhipple · April 23, 2024, 6:06pm

When I was looking for something I could use in Role criteria, I started from the search query “isManager:true ” and found the $identity variable. It took a while, wish your documents would’ve come up in my investigation.

Arshad · April 24, 2024, 2:45am

Thank you @tyler_mairose @kwhipple @ipobeidi for your responses, this helps.

nathanieljjohnson · May 8, 2024, 2:29pm

I am using this same transform and in almost all cases it works, but I have a couple identities that were previously managers and now are not and with this solution it is returning a false positive. Any notion on how the status is derived and how often it is updated?

system · July 7, 2024, 2:30pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.