Transform -- validating Identity is a assigned a role or an entitlement

Identity Security Cloud (ISC) ISC Discussion and Questions
,
1

I’m trying to use the below transform with no success. Any ideas on what I am doing wrong?

The roles contain entitlements to groups in AD that provision entra licenses. I’m trying an approach to confirm membership of the group or an assignment to one of the roles. I tried a startsWith on the memberOf logic but that wasn’t working, so I am testing the containsAll for the group dn. I have the containsAll working for a different solution, but don’t seem to be able to get it to work here.

The transform doesn’t have any errors, but for all users it is reporting False as the return value.

"attributes": {
        "requiresPeriodicRefresh": "true",
        "input": {
            "attributes": {
                "ignoreErrors": "true",
                "values": [
                    {
                        "attributes": {
                            "accountPropertyFilter": "(memberOf.containsAll(\"CN=O365_Licensing_Tier1,OU=Groups,OU=ExampleUsers,DC=example,DC=example,DC=org\"))",
                            "attributeName": "memberOf",
                            "sourceName": "Active Directory-Lab"
                        },
                        "type": "accountAttribute"
                    },
                    "$identity.isMemberOfRole(\"O365: Tier1 License\")",
                    "$identity.isMemberOfRole(\"O365: Tier2 License\")",
                    "$identity.isMemberOfRole(\"O365: Tier3 License\")",
                    "False"
                ]
            },
            "type": "firstValid"
        },
        "table": {
            "False": "False",
            "default": "True"
        }
    },
2

Hi @ts_fpatterson ,

Have you tried if contains() works ? Here it looks like containsAll() is always getting evaluated as “False” or none of the conditions are evaluated as “True” and hence the result is “False” for all users.

3

Hi @ts_fpatterson,

The transform that you shared is complete transform or it is part of some bigger transform.

Thanks

4

I don’t see the method isMemberOfRole in the sailpoint.object.Identity class that you’re referencing.
https://developer.sailpoint.com/rule-java-docs/sailpoint/object/Identity.html

Is the user member of the AD group? Or are they falling back to the roles that might not have a valid method?

5

Hi @ts_fpatterson,

Looking at your transform, you seem to be missing the curly braces inside the filter.

"accountPropertyFilter": "(memberOf.containsAll({\"CN=O365_Licensing_Tier1,OU=Groups,OU=ExampleUsers,DC=example,DC=example,DC=org\}"))"

Also, as suggested by @tysremi the isMemberOfRole doesn’t look like a valid method.

6

That was the full transform, outside of sharing the name of the transform, it’s id, etc.

7

I tried the curly braces, but the syntax looked off.

I went ahead with the $identity.getRoleAssignments() method.

8

thanks! I wasn’t aware of this documentation. I have built a transform that looks to be working using the $identity.getRoleAssignments()

I will publish an article on the transform I used.

9

I needed to grab the entitlements directly from AD. Below is the final logic that is working for me.

"type": "lookup",
    "attributes": {
        "requiresPeriodicRefresh": true,
        "input": {
            "type": "firstValid",
            "attributes": {
                "values": [
                    {
                        "attributes": {
                            "accountPropertyFilter": "(memberOf.contains(\"O365_Licensing_Tier\"))",
                            "attributeName": "sAMAccountName",
                            "sourceName": "Active Directory-Dev"
                        },
                        "type": "accountAttribute"
                    },
                    "FALSE"
                ]
            }
        },
        "table": {
            "FALSE": "false",
            "default": "true"
        }
    },