Transform to create unique email only if condition satisfies

Identity Security Cloud (ISC) ISC Discussion and Questions
1

I am trying to create unique email in create provisional policy only if user is full time employee. I tried below transform but it is not working. is it possible to use transform for this logic

{
  "attributes": {
    "expression": "$inactiveMail eq TRUE",
    "positiveCondition": "",
    "negativeCondition": "$mail",
    "inactiveMail": {
      "attributes": {
        "attributeName": "employmentStatus"
      },
      "type": "identityAttribute"
    },
    "mail": {
		"type": "usernameGenerator",
		"attributes": {
			"sourceCheck": true,
			"patterns": [
				"$(firstname).$(lastname)$(emailDomain)",
				"$(firstname).$(lastname)$(uniqueCounter)$(emailDomain)"
			],
			"firstname": {
				"type": "identityAttribute",
				"attributes": {
					"name": "firstname"
				}
			},
			"lastname": {
				"type": "identityAttribute",
				"attributes": {
					"name": "lastname"
				}
			},
			"emailDomain": {
				"type": "identityAttribute",
				"attributes": {
					"name": "emailDomain"
				}
			}
		}
    }
  },
  "type": "conditional"
}
2

Hi I could see couple of mistakes in your transform

  1. When you are getting employmentStatus you have to use “name” not attributeName in identityAttribute operation transform
  2. In the expression you are doing a check if employmentstatus is TRUE which means employee is full time. If it is true your transform retruns empty value as it goes to positive condition.
  3. In usernameGenerator you have use the syntax for uniqueCounter like this ${uniqueCounter}. So that is also not correct.

I have made those adjustments and created a new transform check if this works for you.

{
    "name": "mail",
    "transform": {
        "type": "conditional",
        "attributes": {
            "expression": "$userEmployeeStatus eq TRUE",
            "positiveCondition": "$generatedEmail",
            "negativeCondition": "$existingEmail",
            "userEmployeeStatus": {
                "attributes": {
                    "name": "employmentStatus"
                },
                "type": "identityAttribute"
            },
            /* Use existing email for full time employee if present else use blank */
            "existingEmail": {
                "type": "firstValid",
                "attributes": {
                    "values": [
                        {
                            "type": "identityAttribute",
                            "attributes": {
                                "name": "email"
                            }
                        },
                        {
                            "type": "static",
                            "attributes": {
                                "value": ""
                            }
                        }
                    ]
                }
            },
            /* Generate a unique email */
            "generatedEmail": {
                "type": "usernameGenerator",
                "attributes": {
                    "sourceCheck": true,
                    "patterns": [
                        "$fn.$ln$emailDomain",
                        "$fn.$ln${uniqueCounter}$emailDomain"
                    ],
                    "fn": {
                        "type": "lower",
                        "attributes": {
                            "input": {
                                "type": "identityAttribute",
                                "attributes": {
                                    "name": "firstname"
                                }
                            }
                        }
                    },
                    "ln": {
                        "type": "lower",
                        "attributes": {
                            "input": {
                                "type": "identityAttribute",
                                "attributes": {
                                    "name": "lastname"
                                }
                            }
                        }
                    },
                    "emailDomain": {
                        "type": "lower",
                        "attributes": {
                            "input": {
                                "type": "identityAttribute",
                                "attributes": {
                                    "name": "emailDomain"
                                }
                            }
                        }
                    }
                }
            }
        }
    },
    "attributes": {
        "cloudMaxSize": "100",
        "cloudMaxUniqueChecks": "25",
        "cloudRequired": "true"
    },
    "isRequired": false,
    "type": "string",
    "isMultiValued": false
}

I have added some comments to understand better. remove them when you are testing.

For negativeCondition I have used firstValidTransform to get the existing email instead of returning blank. If that is the your use case you can return blank

Also use cloud* attribute that will allow to do a uniqueness retry

3

Thanks @udayputta for your response. I am getting uniqueness retry issue as follows:

trackingId: 22a525b3fc294e6d98ba20eef7b0ed3a java.lang.RuntimeException: sailpoint.tools.GeneralException: Unable to generate a unique value for 'unittest13@aaa.com', action UniqueAccountIdValidator[nativeIdentity=unit13.test13@bbb.com,app=Active Directory] is not retry-able due to ConnectorException: [ InvalidConfigurationException ] [ Error details ] Required string attribute 'User' is not defined.It must have a valid value.

Could you please elaborate more on how to use cloud* attribute that will allow to do a uniqueness retry.

4

hi Rahul,

In the tranform that I have shared is already using that attribute. For more information you can refer the below link and use the correct count for your scenario