Transforms using the "identity" Object

Identity Security Cloud (ISC) ISC Discussion and Questions
1

I built a Transform recently that references the $identity object. (See below for logic).

The transform is able to loop through the user’s “memberOf” values for our Active Directory Source, and display the values in a comma separated list using the following Code:

#foreach($link in $identity.getLinksByAppIdOrName(\"72c124f46eb946879e28a63acc8cf559\",null))#if($foreach.index + 1 != $identity.getLinks().size())$link.getAttribute(\"memberOf\")(),#else$link.getAttribute(\"memberOf\")#end#end

I have seen Posts that claim it is not possible to reference multi value attributes in a Transform, but using the method it looks like this is incorrect.

I do not see any documentation where SailPoint mentions that a Transform can access the “$identity” Object, and there are no examples like the ones shown below in official SailPoint Documentation. Community posts like the one below, however, show that this can be done.

My Questions are:

  1. “Should I be careful using this method to pull data from Multi Value Attributes? Is there any chance SailPoint will pull support for this type Transform? I am concerned that I will start using this in several of my Transforms and SailPoint will later remove this functionality - seeing as it doesn’t seem to be documented anywhere.”
  2. Is there SailPoint documentation somewhere out there that I’m missing which describes how the “$identity” Object can be used in a transform?

Example Transform:

{
    "name": "P1EntitlementExists_Transform",
    "type": "static",
    "requiresPeriodicRefresh": true,
    "attributes": {        
        "memOfList": {
			"attributes": {
                "values": [
                    {
						"attributes": {
							"value": "#foreach($link in $identity.getLinksByAppIdOrName(\"72c124f46eb946879e28a63acc8cf559\",null))#if($foreach.index + 1 != $identity.getLinks().size())$link.getAttribute(\"memberOf\")(),#else$link.getAttribute(\"memberOf\")#end#end"
						},
						"type": "static"
					},
					"None"
				]
			},
			"type": "firstValid"
        },
		"hasprivad": {
			"attributes": {
				"values": [
					{
						"attributes": {
							"sourceName": "Active Directory - Privileged Accounts",
							"attributeName": "description"
						},
						"type": "accountAttribute"
					},
					"none"
				]
			},
			"type": "firstValid"
		},
        "value": "#if($hasprivad == 'none')na#{elseif}($memOfList == '[CN=Domain Users,CN=Users,DC=COXINC,DC=com](),' && $hasprivad == 'Managed by SailPoint - PRIV')false#{elseif}($memOfList != '[CN=Domain Users,CN=Users,DC=COXINC,DC=com](),' && $hasprivad == 'Managed by SailPoint - PRIV')true#{else}none#end"
    },
    "internal": false
}
2

Hi Nick,

I understand your concern, but I don’t think $identity object will be removed. I have seen this documentation under Transforms, but it is removed now.

Looking at your Transform, I believe your requirement is to check if a user has some P1 Group or not. if yes then you can use below Transform.

{
    "name": "Test Static Transform",
    "type": "static",
    "attributes": {
        "ADGroup": {
            "attributes": {
                "values": [
                    {
                        "type": "accountAttribute",
                        "attributes": {
                            "attributeName": "sAMAccountName",
                            "sourceName": "AD Source",
                            "accountPropertyFilter": "memberOf.contains(\"CN=Test Group-1,OU=Groups,DC=xyz,DC=com\")"
                        }
                    },
                    {
                        "attributes": {
                            "value": "none"
                        },
                        "type": "static"
                    }
                ]
            },
            "type": "firstValid"
        },
        "value": "#if($ADGroup != 'none')Yes#{else}No#end"
    },
    "internal": false
}
3

Hey Krishna,

Yes, I am looking for a membership for that group - but the user must only have that one group assigned in this case.If any other AD entitlement is on the user record we would want to evaluate to “false.” I do not know if another way to check for membership to one and only one group in a transform.

Question: Is there a way to use the same “foreach” syntax in a transform and perform a count of how many items were iterated through during the “foreach?” I have a different use case for a transform where it would be good to know how many items are in the multi valued attribute.

4

Yes, velocity has a foreach.index counter. See the last example before the Notes section:

i.e. You return the size or the index out from Velocity, out / up to the Transform layer for any additional processing you need.

Two layers of execution contexts are at play here:

  1. Tranform layer
  2. Velocity layer inside a static Tranform

The Transform layer already has an implicit identity…because you’re executing a transform that’s specified from an Identity Profile…so for the Transform to be called, you actually have an identity object to begin with.

The Velocity layer uses the $identity as it requires an explicit object.

While you’re inside the Velocity layer, multi-value can exist. It’s at the Transform layer that multi-value is collapsed into a single string value.

5

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.