Transform to return NULL

Does anyone know of a way to have a transform return NULL vs “empty string”?

The specific use case is a calculation of an identity attribute that needs to be set to NULL in certain conditions. Similar to reading a NULL, or empty string, from a source where the identity attribute doesn’t show at all on the identity page. Currently with the transform returning an empty string, the identity attribute shows but with an empty string (i.e. no value) and this is causing confusion.

Could you use a conditional to return null?

Maybe something like this:

{
  "attributes": {
    "expression": "foo eq bar",
    "positiveCondition": foo,
    "negativeCondition": null
  },
  "type": "conditional",
  "name": "Conditional Transform"
}

Tried that, but it didn’t seem to work. Examples and results shown below for reference:

{
    "id": "990b8c62-967b-4b4a-8e88-60b376bc88f6",
    "name": "Identity_MiddleNameNewTest",
    "type": "conditional",
    "attributes": {
        "expression": "foo eq foo",
        "positiveCondition": "foo",
        "negativeCondition": "bar"
    },
    "internal": false
}

Result: foo

{
    "id": "990b8c62-967b-4b4a-8e88-60b376bc88f6",
    "name": "Identity_MiddleNameNewTest",
    "type": "conditional",
    "attributes": {
        "expression": "foo eq foo1",
        "positiveCondition": "foo",
        "negativeCondition": "bar"
    },
    "internal": false
}

Result: bar

{
    "id": "990b8c62-967b-4b4a-8e88-60b376bc88f6",
    "name": "Identity_MiddleNameNewTest",
    "type": "conditional",
    "attributes": {
        "expression": "foo eq foo",
        "positiveCondition": null,
        "negativeCondition": "bar"
    },
    "internal": false
}

Result: trackingId: b1ed626f37064385850b931bbe1986c5 sailpoint.api.AttributePromotionException: Applying transform[reference] to attribute[middleNameNew] failed

{
    "id": "990b8c62-967b-4b4a-8e88-60b376bc88f6",
    "name": "Identity_MiddleNameNewTest",
    "type": "conditional",
    "attributes": {
        "expression": "foo eq foo",
        "positiveCondition": "",
        "negativeCondition": "bar"
    },
    "internal": false
}

Result: trackingId: 4a27b14521264e7eb7821a47ff93d704 sailpoint.api.AttributePromotionException: Applying transform[reference] to attribute[middleNameNew] failed

Ok, so maybe the conditional operator does some null checking to make sure nulls aren’t aggregated. The next option would be to use the static transform with some velocity scripting. Something like this.

{
  "attributes": {
    "workerType": {
      "attributes": {
        "sourceName": "HR Source",
        "attributeName": "empType"
      },
      "type": "accountAttribute"
    },
    "value": "#set ($foo = null)#if($workerType=='Employee')Full-Time#{else}$foo#end"
  },
  "type": "static",
  "name": "Static Transform"
}

If a transform happens to return null, then it throws an Exception…

{
    "id": "a410048e-XXXXXXXXXXXX-169cafd41864",
    "name": "Test Transform",
    "type": "static",
    "attributes": {
        "value": "#set($foo = null)$foo"
    },
    "internal": false
}

1 Like

Hi

You can use first value Tranform along with static transform

Example:

{
    "name": "Testing",
    "type": "static",
    "attributes": {
        "workerType": {
            "attributes": {
                "values": [
                    {
                        "attributes": {
                            "attributeName": "empType",
                            "sourceName": "HR Source"
                        },
                        "type": "accountAttribute"
                    },
                    {
                        "attributes": {
                            "value": "NULL"
                        },
                        "type": "static"
                    }
                ]
            },
            "type": "firstValid"
        },
        "value": "#if($workerType=='Employee')Full-Time#{else}NULL#end"
    },
    "internal": false
}

This definitely returns the STRING VALUE of “NULL”, but not the desired NULL value that is desired.

I am having this same issue. Transforms don’t seem to like returning blank values.

Hey @edmarks,

One solution as another mentioned is to use a STRING null rather than an empty string. That way, attributes with empty values are not displayed in the Identity Details page and at least say something like “NULL,” “EMPTY,” “N/A,” or whatever else you may see fit. However, to prevent the attribute from being displayed altogether, see the solution suggestion below.

The Solution

If you want the attribute to not appear at all for identities that do not have a value in there, you can use the firstValid transform to accomplish this. An example is below:

{
    "name": "FirstValid_Null_Test",
    "type": "firstValid",
    "attributes": {
        "values": [
            {
                "attributes": {
                    "attributeName": "Special Identifier",
                    "sourceName": "DLT HR Feed"
                },
                "type": "accountAttribute"
            },
            null
        ]
    }
}

This is a simple firstValid transform that may need to be adjusted to fit your needs, but you can combine this with whatever transforms you would like to accomplish this. As you can see in the screenshots below, the first user (Billy Goose) has a Special Identifier, which is shown in his Identity Details. However, the second user (Claire Williams) does not have this Special Identifier, which results in the null value being selected in the firstValid transform; because this is a true null value, the attribute is not displayed in Claire’s Identity Details.

Billy Goose (Special Identifier displayed)

Claire Williams (no Special Identifier)

Additional Feedback

Unfortunately, using the static transform and setting a variable as null will not work. Identity Security Cloud will render template errors upon null reference exceptions, and as far as I know, static cannot bypass this.

2 Likes

This helps clarify there isn’t a solution if using the static transform as we’re doing in this case.

Hey @edmarks,

Let me expand on this, because the solution I suggested may still work for you but would require some adjustment. You can use this firstValid transform workaround in tandem with the static transform. As you can see in my previous solution, I employed the use of only the firstValid transform, however, in my solution below, you can see the use of both.

Solution

{
    "name": "FirstValid_Static_Null_Test",
    "type": "firstValid",
    "attributes": {
        "values": [
            {
                "attributes": {
                    "calculatedValue": {
                        "attributes": {
                            "values": [
                                {
                                    "attributes": {
                                        "attributeName": "Special Identifier",
                                        "sourceName": "DLT HR Feed"
                                    },
                                    "type": "accountAttribute"
                                },
                                "null string"
                            ]
                        },
                        "type": "firstValid"
                    },
                    "null": null,
                    "value": "#if($calculatedValue!='null string')$calculatedValue#{else}$null#end"
                },
                "type": "static"
            },
            null
        ]
    }
}

Explanation

What I did here is I simply took the firstValid transform I wrote in my previous solution and nested it in a static transform. This allows for the use of the static transform conditional logic and statements to be used, but in case of a null value, we return a true null. Initially, this would throw an error since the static transform will not appreciate the null reference exception. However, that static transform is also nested within another firstValid transform, which recognizes the error and determines the value is invalid, so it proceeds to the next valid value, which we identify as a true null value. This is then accepted by the transform and is placed in the identity attribute.

Summary

With this, we accomplish the following:

  • Conditional logic can be used with the static transform to determine the exact value we want
  • For Identities with valid values in this attribute, the identity attribute will be displayed in their Identity Details page
  • For Identities without valid values in this attribute, the identity attribute will be determined to be a true null, resulting in the identity attribute not being displayed at all in the Identity Details page.

Does this help clarify, and does this solution work for you?

4 Likes

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.