I’m trying to use the below transform with no success. Any ideas on what I am doing wrong?
The roles contain entitlements to groups in AD that provision entra licenses. I’m trying an approach to confirm membership of the group or an assignment to one of the roles. I tried a startsWith on the memberOf logic but that wasn’t working, so I am testing the containsAll for the group dn. I have the containsAll working for a different solution, but don’t seem to be able to get it to work here.
The transform doesn’t have any errors, but for all users it is reporting False as the return value.
"attributes": {
"requiresPeriodicRefresh": "true",
"input": {
"attributes": {
"ignoreErrors": "true",
"values": [
{
"attributes": {
"accountPropertyFilter": "(memberOf.containsAll(\"CN=O365_Licensing_Tier1,OU=Groups,OU=ExampleUsers,DC=example,DC=example,DC=org\"))",
"attributeName": "memberOf",
"sourceName": "Active Directory-Lab"
},
"type": "accountAttribute"
},
"$identity.isMemberOfRole(\"O365: Tier1 License\")",
"$identity.isMemberOfRole(\"O365: Tier2 License\")",
"$identity.isMemberOfRole(\"O365: Tier3 License\")",
"False"
]
},
"type": "firstValid"
},
"table": {
"False": "False",
"default": "True"
}
},
shaileeM
August 21, 2024, 2:24am
2
Hi @ts_fpatterson ,
Have you tried if contains() works ? Here it looks like containsAll() is always getting evaluated as “False” or none of the conditions are evaluated as “True” and hence the result is “False” for all users.
1 Like
ashutosh08
August 21, 2024, 4:57am
3
Hi @ts_fpatterson ,
The transform that you shared is complete transform or it is part of some bigger transform.
Thanks
tysremi
August 21, 2024, 6:48am
4
I don’t see the method isMemberOfRole in the sailpoint.object.Identity class that you’re referencing.https://developer.sailpoint.com/rule-java-docs/sailpoint/object/Identity.html
Is the user member of the AD group? Or are they falling back to the roles that might not have a valid method?
1 Like
jesvin90
August 21, 2024, 8:03am
5
Hi @ts_fpatterson ,
Looking at your transform, you seem to be missing the curly braces inside the filter.
"accountPropertyFilter": "(memberOf.containsAll({\"CN=O365_Licensing_Tier1,OU=Groups,OU=ExampleUsers,DC=example,DC=example,DC=org\}"))"
Also, as suggested by @tysremi the isMemberOfRole doesn’t look like a valid method.
1 Like
That was the full transform, outside of sharing the name of the transform, it’s id, etc.
I tried the curly braces, but the syntax looked off.
I went ahead with the $identity.getRoleAssignments() method.
thanks! I wasn’t aware of this documentation. I have built a transform that looks to be working using the $identity.getRoleAssignments()
I will publish an article on the transform I used.
2 Likes
I needed to grab the entitlements directly from AD. Below is the final logic that is working for me.
"type": "lookup",
"attributes": {
"requiresPeriodicRefresh": true,
"input": {
"type": "firstValid",
"attributes": {
"values": [
{
"attributes": {
"accountPropertyFilter": "(memberOf.contains(\"O365_Licensing_Tier\"))",
"attributeName": "sAMAccountName",
"sourceName": "Active Directory-Dev"
},
"type": "accountAttribute"
},
"FALSE"
]
}
},
"table": {
"FALSE": "false",
"default": "true"
}
},
system
October 20, 2024, 6:03pm
10
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.