Unable to use Identity attribute in LCS transform

sharvari · June 23, 2022, 11:55am

Hi,

I am trying to use value of an identity attribute to determine value in my LCS transform but I am unable to get the value, it always returns a reference to the attribute eg. {attributes=com.sailpoint.seaspray.transform.FirstValidTransform@725da6d4}.

My LCS transform code looks like :

{    
    "name": "Emp Lifecycle Status",
    "type": "static",
    "attributes": {        
        "isUserTermed": {
            "type": "firstValid",
            "attributes": {
                "values": [
                    {
                        "attributes": {
                            "name": "isTermed"                            
                        },
                        "type": "identityAttribute"
                    },                    
                    {
                        "attributes": {
                            "value": "NONE"
                        },
                        "type": "static"
                    }
                ]
            }
        },
        "value": "#if($isUserTermed != 'NONE')inactive#{else}active#end"
    }
}

This always evaluates to active as isUserTermed is never found null(even though it is null for active users) but is a reference like {attributes=com.sailpoint.seaspray.transform.FirstValidTransform@725da6d4} for all users.

I have tried to use a different identity attribute eg uid also in place and found same behavior

If i replace the identity attribute block to use the corresponding account attributes calculation it works.

Are we unable to use identity attribute in LCS attribute calculation? or any other transforms?

tyler_mairose · June 23, 2022, 3:10pm

Hello @sharvari,

Your transform code is working for me when I change the isTermed attribute.name value to a valid value in my tenant.

Can you check that isTermed is the correct name of the identityAttribute and that it is mapped with a value?

See my Employees Identity Profile below. If I use lastname and it has a value the transform returns inactive as expected.

{
    "name": "Emp Lifecycle Status",
    "type": "static",
    "attributes": {
        "isUserTermed": {
            "type": "firstValid",
            "attributes": {
                "values": [
                    {
                        "attributes": {
                            "name": "lastname"
                        },
                        "type": "identityAttribute"
                    },
                    {
                        "attributes": {
                            "value": "NONE"
                        },
                        "type": "static"
                    }
                ]
            }
        },
        "value": "#if($isUserTermed!='NONE')inactive#{else}active#end"
    }
}

sharvari · June 23, 2022, 3:15pm

I have verified the attribute name and it is correct. Not sure why it’s not working for me.

Thanks for checking it.

tyler_mairose · June 23, 2022, 3:22pm

If that is the case I would submit a Support Ticket and they can look into your tenant and the error a little closer.

colin_mckibben · June 23, 2022, 5:43pm

You could try using a conditional transform instead of the static transform to evaluate if your isUserTermed is NONE or not.

chirag_patel · June 24, 2022, 3:54am

Sailpoint ideally does not recommend to use identity attribute in identity attribute transform. This is because the order of evaluation is not guaranteed when refresh happens. There is chance that LCS will get calculated first and then isTermed.

IF YOU HAVE ACCOUNT ATTRIBUTE WHICH YOU CAN USE THEN YOU SHOULD USE THAT ONLY.

Can you try Tyler’s transform in your org, I believe it should work because lastname is system identity attribute and not something we created so it might have different behaviour.

kannan_sb85 · June 27, 2022, 7:30am

@sharvari - You could use the below code, it should work.

{
    "name": "Emp Lifecycle Status",
    "type": "static",
    "attributes": {
        "isUserTermed": {
            "attributes": {
                "values": [
                    {
                        "attributes": {
                            "name": "isTermed"
                        },
                        "type": "identityAttribute"
                    },
                    "null"
                ]
            },
            "type": "firstValid"
        },
        "value": "#if($isUserTermed != \"null\")inactive#{else}active#end"
    }
}

Topic		Replies	Views
LCS Transform not calculating correct value ISC Discussion and Questions	3	1079	July 19, 2023
IdentityAttribute Transforms not updating when LCS manually set ISC Discussion and Questions transforms , identity-security-cloud	3	367	January 16, 2024
Manually Setting LCS with Transform References ISC Discussion and Questions transforms , identity-security-cloud	2	456	July 19, 2023
IdentityNow LCS Transform ISC Discussion and Questions	4	1966	July 19, 2023
Identity Attributes ISC Discussion and Questions transforms , identity-security-cloud	8	486	July 25, 2023

Unable to use Identity attribute in LCS transform

Related topics