Unable to generate incremental samAccountName in AttributeGenerator Rule

Unable to generate incremental samAccountName in AttributeGenerator Rule.
My goal is to concatenate u with a unique no starting with 900000 and it should increment everytime.

But the rule logic works fine but when I am adding 4-5 users at a time, it is giving error:
Exception occurred while executing the RPCRequest: Errors returned from IQService. "The object already exists. The object already exists. 00000524: UpdErr: DSID-031A11F8, problem 6005 (ENTRY_EXISTS), data 0 00000524: UpdErr: DSID-031A11F8, problem 6005 (ENTRY_EXISTS), data 0 . HRESULT:[0x80071392] For identity

The solution provided in the previous posts is to “change the logic” and create a Random instead of incremental value. I want solution to my problem.

Can you get us the Rule, so that we can have a look into this issue.

synchronized String generateSAMAccount() {
int seqNumber = 900064;
String val = “U” + seqNumber;
int count = 0;

List SOURCE_IDS = new ArrayList(Arrays.asList(new String[]{"**"}));
String PROMOTED_ATTR_NAME = "sAMAccountName";
String SEARCH_OP = "Equals";
List SEARCH_VALUES = new ArrayList(Arrays.asList(new String[]{ val }));

while ( idn.attrSearchCountAccounts(SOURCE_IDS, PROMOTED_ATTR_NAME, SEARCH_OP, SEARCH_VALUES) > 0 && count < 100 ) {
  seqNumber++;
  count++;
  val = "U" + seqNumber;
  SEARCH_VALUES = new ArrayList(Arrays.asList(new String[]{ val }));
}
return val;

}

return generateSAMAccount();

Has this been configured as search-attribute? Can you share the json response from
{{baseUrl}}/beta/accounts/search-attribute-config ?

Hello Sanjay,

You should use the idn.accountExistsByDisplayName() function, where needs 2 attributes, the first one with the name of the application and the second is the name what you are looking for. It is a boolean and returns true or false if the account name exists or not.
Please refer to the following link to see an example of using the function : Your First Rule | SailPoint Developer Community

Regards

Yes, I have configured as search-attribute.
The rule is working correctly for 1 user.
But when I create 4-5 users. then, this error comes.

Hi @sanjay-optiv,

Due to the multi-threaded processing of IDN, you cannot guarantee a unique ID or a sequential ID for all the users when you create multiple users at the same time.

The data should exist in the system first, for the uniqueness check to work. Due to the parallel processing, it becomes impossible for IDN to accurately check this.

Here is a similar thread :

You may want to look into other options instead of incremental account ID’s or the suggestion put forward in the above thread.

The alternative is using an additional JDBC source with a backend database that provides table level locking which can then generate a guaranteed unique value which can then be used in another source. - Can you pls explain how we can achieve this ?
How can we achieve this using JDBC?

Hi @sanjay-optiv,

I have not tried this, but it is about creating a dummy source which involves a SQL DB with a JDBC connector.

So you can make use of the table locking feature in the DB, that solves the concurrency issue as only one process can access the table at a time.

You will need to add the unique generator logic in the JDBC account creation provisioning rule.

Once the account is created in the JDBC source, it can act as a trigger (may be with a role criteria) to create the actual source account that can reference the JDBC source’s unique account as it’s Account ID.

You will definitely want to test the efficiency of the process if it involves large number of parallel processes.