Unable to Fetch Identity reference Using Identity Attribute Rule

Identity Security Cloud (ISC) ISC Discussion and Questions
, ,
1

Hello All,

We are working with two identity sources: Employee Auth and Functional Auth. The Functional Auth source contains functional accounts that are actually owned by employees. (but we are treating them as an Identity rather than treating it as an account of the employee).
A challenge we’re facing is that the Functional Auth source does not include an email address for these functional identities. However, it does include an attribute called ownerUin, which represents the unique ID of the employee who owns the functional account.
This ownerUin value corresponds to the userLogin attribute in the Employee Auth source. The userLogin is effectively the username (or UID) for the employee’s identity profile.
To populate the email address for the functional identity, we plan to:

  1. Retrieve the ownerUin from the functional identity.
  2. Search for an employee identity in the Employee Auth source where userLogin matches the ownerUin.
  3. If a match is found, extract the email address from the employee profile.
  4. Map this email address to the corresponding functional identity.

We have written a rule, Identity Attribute Rule to meet this use case, but the rule seems to be not working. Below is the rule logic. Please let me know if this usecase can be achieved, if yes then how? Can this be done using a Transform? What exactly is wrong in the below rule?

import sailpoint.rule.Identity;
import sailpoint.object.;
import sailpoint.api.;
import sailpoint.rule.IdnRuleUtil;
import java.util.;
import sailpoint.rule.;

String email = null;
String OwnerUIN = null;
log.error (“identity attribute rule started”);

OwnerUIN = identity.getAttribute( “ownerUin” );
log.error(“OwnerUIN is:” + OwnerUIN);
if( OwnerUIN != null) {

sailpoint.rule.Identity foundIdentity = idn.getIdentityById(“OwnerUIN”);
if( foundIdentity != null) {
log.error(“identity found”);
Map attributesMap = foundIdentity.getAttributes();

email = attributesMap.get(“email”);

log.error(“email from the IF loop is:” + email);
}
else {
email = “NO Identity Found”;
}
}
else{
email = “NO Email From Rule”;
log.error(“email from else loop is:” + email);
}

return email;

2

You may want to consider this transform

4

I don’t think an out of the box transform is directly achievable here due to the nature of the lookup being an identity attribute and not the nativeIdentity of the other identity.

It seems you will likely need to use this method in your rule instead of the getIdentityById:
java.util.List<Identity> findIdentitiesBySearchableIdentityAttribute(java.lang.String attributeName, java.lang.String operation, java.lang.String value, java.lang.String sortAttribute)

To use this method, you must also mark the identity attribute as searchable:

Here is a sample of how to implement it:

import sailpoint.rule.Identity;
import sailpoint.object.;
import sailpoint.api.;
import sailpoint.rule.IdnRuleUtil;
import java.util.;
import sailpoint.rule.;

String email = null;
String OwnerUIN = null;
log.info("identity attribute rule started");

OwnerUIN = identity.getAttribute( "ownerUin" );
log.info("OwnerUIN is:" + OwnerUIN);

if( OwnerUIN != null) {
    // This returns a list, so if there are multiple found you will need to implement handling of which record to choose. 
    List<Identity> foundIdentities = idn.findIdentitiesBySearchableIdentityAttribute("userLogin", "Equals", OwnerUIN, "uid");
    
    if (foundIdentities.size() < 1) {
        email = "NO Identity Found";
        return email;
    }

    // For simplicity, grab the first record found.
    Identity foundIdentity = foundIdentities.get(0);
    if(foundIdentity != null) {
        log.info("identity found");
        
        email = foundIdentity.getStringAttribute("email");

        log.info("email from the IF loop is:" + email);
    } else {
        email = "NO Identity Found";
    }
} else {
    email = "NO Email From Rule";
    log.info("email from else loop is:" + email);
}

return email;