TransformationRule and check provisioning Accounts

Dear community,

I have a question first to explain what does and when to use: Identity Mapping → Target Mappings

  1. TransformationRule
  2. provision Account → check to yes

An any example to apply to create a new rule here
for instance TargetMappings → application time tracking → atribute lastName

TransformationRule

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Rule PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<Rule language="beanshell" name="IdentityAttributeTarget-APAC-AD-employeeNumber" type="IdentityAttributeTarget">
    <Source><![CDATA[
            import sailpoint.object.Identity;
            import sailpoint.tools.Util;

            //this is data from iiq db spt_identity
            String employeeId = identity.getAttribute("employeeId");
            String lastName = identity.getAttribute("lastName");
            String returnValue = null;
            //Search for two idenities with lastName=Davis or Miller
            //return the employeeId
            if (lastName.equals("Davis") || lastName.equals("Miller")) {
                returnValue = employeeId;
            } else {
                returnValue = "oldValue";
            }
            return returnValue;
        ]]></Source>
</Rule>

verify my rule is ok, and how I test this?

Target Mapping is used to synchronize the attributes from SailPoint to Target applications.

For example, Job title

Transformation Rule: As the name indicates, if you need to transform the value.
For example, if Job title is Senior Analyst but your target system would like to have the value as Sr. Analyst, then you need to write some script to change the value accordingly.

Another example is manager, we have manager Employee ID in SailPoint but Target Application like Active Directory needs manger distinguished name, so you need to get that value in the Rule.

Provision All Accounts: Incase if user has more than 1 account in your Target application, then SailPoint doesn’t know in which account it needs to update. So you select that checkbox, so that it will update in all the accounts under same target application for that user.

1 Like

Import this Rule in SailPoint and select the same in your Target Mapping under Transformation Rule dropdown.

Rule looks good, but logic doesn’t make any sense.

If user last name is Davis/Miller then last name will be updated to Employee ID if not then old value which will be user last name.

Run Refresh Identity cube Task with synchronize attributes option enabled, you will see provisioning requests in your Refresh Task result.

If user last name in SailPoint and last name in Target app (link/account) is same then there will be nothing to update, so request will be filtered. You don’t see any provisioning request in your Refresh Task result.

1 Like

Hey @fugitiva

Do you have any concerns or issues on this.

If you found answers for your queries, mark any response as a solution.

Thanks
Krish

Hi @MVKR7T sorry for the delay of my answer.

So I modified my rule, what i want to do is the as you mention
If user last name is Davis or Miller then status will be updated
if not then old value which will be user last name. (i change the varialbe to lastname)

so i would like to change the satus of those from A to I

How can i get the status to change to A?

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Rule PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<Rule language="beanshell" name="IdentityAttributeTarget-APAC-AD-employeeNumber" type="IdentityAttributeTarget">
    <Source><![CDATA[
            import sailpoint.object.Identity;
            import sailpoint.tools.Util;

            String status = identity.getAttribute("status");
            String lastName = identity.getAttribute("lastName");
            String returnValue = null;
            if (lastName.equals("Davis") || lastName.equals("Miller")) {
                returnValue = status;

            } else {
                returnValue = lastName;
            }
            return returnValue;
        ]]></Source>
</Rule>

If user last name is David or Miller, we will mark status as I else A

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Rule PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<Rule language="beanshell" name="IdentityAttributeTarget-APAC-AD-employeeNumber" type="IdentityAttributeTarget">
    <Source><![CDATA[
            import sailpoint.object.Identity;

            String lastName = identity.getAttribute("lastName");

            if (lastName.equals("Davis") || lastName.equals("Miller")) {
                return "I";
            } else {
                return "A";
            }
        ]]></Source>
</Rule>

For your learning, this is totally fine. But in real time, this use case doesn’t make any sense.

I will give a proper use case which we use in real time projects,

If user status becomes inactive, mark the status in Target apps for example your Time Tracking application.

Add the below rule in inactive attribute target mapping for status attribute in Time Tracking app.

To test this,

  • Make any user inactive through your HR application.
  • Run Refresh Task with synchronize attributes option enabled.
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Rule PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<Rule language="beanshell" name="Status Target Mapping Rule" type="IdentityAttributeTarget">
    <Source><![CDATA[
            import sailpoint.object.Identity;

            boolean status = identity.isInactive(); //returns true if user is inactive

            if (status) {
                return "I";
            } else {
                return "A";
            }
        ]]></Source>
</Rule>
1 Like

@MVKR7T i follow up all your steps, thank you :slight_smile: for the time to explain to test the status, the only step missing was after update the hr .csv It must be run the aggregration of hr application to update the change from false to true, then run the refresh identiy cube, to update the status in the target mapping

Again thank you!

1 Like

Yes you should run HR aggregation, not sure how you are setting status of identity. I mean what is your source mapping for inactive attribute.

One common case is, if your HR source is a delimited file, add a status attribute. Pass Active/Inactive status.

Add source mapping for inactive attribute as Application Rule, script for the Rule is.

String status = link.getAttribute("status"); //status attribute name in your HR app
boolean flag = false;

if (status != null && status.equalsIgnoreCase("Inactive")) {
flag = true;
}

return flag;

When you mark status as Inactive for a user in your CSV, run aggregation, user gets inactive. Run Refresh task with synchronize attributes option.

Alternative is,
you can mark the user inactive through debug page, just add below entry in attributes map you find in the top along with your firstname, lastname. This is to mark your identity as inactive temporarily.
<entry key="inactive" value="true"/>

Run Refresh Task with Synchronize attributes option and don’t enable refresh identity attributes option.

This is just for quick testing purpose to save time.

Feel free to ask any concerns or issues, happy learning :slight_smile:

2 Likes

@MVKR7T i have a question about the rule because now im sending hard code

if (status) {
                return "I";
            } else {
                return "A";
            }

but how do i actually get the value row from the db? time tracking?

You don’t need to get value from DB here.

If user is active, we send A to DB

If user is inactive, it will be I.

If it is already A/I in DB, you send same value again then there will be no synchronization. It will be filtered.

1 Like

@MVKR7T
what is the difference to add or not add the rule in source mapping? because i tested with and withouth the rule and i get the same result, user get disable in hr application

String status = link.getAttribute("status"); //status attribute name in your HR app
boolean flag = false;

if (status != null && status.equalsIgnoreCase("Inactive")) {
flag = true;
}

return flag;

inactive is a boolean data type not a string.

So you have to return true/false for this attribute. We get data from HR application as String, so we need to use this Rule.

Without this Rule, do you see any user marked inactive as true ?

yes, becuase i change at the CSV to the user from false to true, then run the aggregation task so it that update the value

That depends on your configuration, if it is marking user inactive true/false then it is good.

  • We may not get the status as active/inactive always.
  • We might get status as active/terminated/disabled…etc
  • Sometimes, we may not have status attribute. We get startDate and endDate, based on that you need to calculate status.

This is where you use this Rule to transform the values.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.