Transform to filter accounts with entitlements in an source

Identity Security Cloud (ISC) ISC Discussion and Questions
, ,
1

Hi,

We’re creating a transform that should return the ID of an account if the account has entitlements in a specific source. We’re using an accountAttribute transform with the accountFilter attribute. Our problem is that it’s not working properly: it returns the ID if the account is present in the source, but it should only show the ID if the account has entitlements in that source. If the account exists in the source but has no entitlements, it should return FALSE. We’ve tried several types of syntax in the filter, but it still hasn’t worked.
This is our transform:

{
    
    "name": "transformName",
    "type": "static",
    "attributes": {
        "var": {
            "attributes": {
                "values": [
                    {
                        "attributes": {
                            "attributeName": "ID",
                            "accountFilter": "(entitlements == true)",
                            "sourceName": "sourceName"
                        },
                        "type": "accountAttribute"
                    },
                    "FALSE"
                ]
            },
            "type": "firstValid"
        },
        "value": "$var"
    },
    "internal": false
}
1 Like
2

Try this

{
    "name": "Test Group Static Transform",
    "type": "static",
    "attributes": {
        "ADGroup": {
            "attributes": {
                "values": [
                    {
                        "type": "accountAttribute",
                        "attributes": {
                            "attributeName": "sAMAccountName",
                            "sourceName": "AD",
                            "accountPropertyFilter": "memberOf.contains(\"CN=Test-Group,OU=Groups,DC=abcd,DC=com\")"
                        }
                    },
                    {
                        "attributes": {
                            "value": "none"
                        },
                        "type": "static"
                    }
                ]
            },
            "type": "firstValid"
        },
        "value": "#if($ADGroup != 'none')Yes#{else}No#end"
    },
    "internal": false
}
1 Like
3

Thank you for your answer! But we’re not doing this for AD. Does this work outside AD?

4

Yes it should, try changing attribute name, source name and attribute in filter.

5

We’ve solved it by using an account attribute with a boolean value that indicates whether it has a specific permission. I think that should be enough for us.