Update Identity Attribute based on Entitlement

Hello All,

I am posting to crowdsource a solution to a problem that I am having. A little background on me, I was thrown into engineering solutions for ISC with little experience on the platform. I am still trying to learn everything I can in the hour or two of free time I have outside of my normal duties. My experience lies in performing administrative functions on the platform and creating a few basic workflows.

Problem:

We use Entra ID as our directory, and in within the directory we have an extension attribute that I will refer to as “extension_attribute_1” (ea1). This specific attribute is not available in the authoritative or secondary sources. The person that would review ea1 should be the end users manager as well.

SailPoint has still yet to be fully implemented as our IGA, and currently we rely on the requestor to inform the IAM team the value of ea1. If we were to ingest this through a secondary source of some sort, this would still be a manual process where IAM and the end user work together and IAM maintains a flat file that is aggregated whenever a change is made (which is multiple times an hour).

As far as the environment, we have entitlements that have the following naming structure (for a different purpose): “Extension Attribute 1 - Name A”.

Thought:

Is there a way that ea1 and the manager attribute could be updated via a transform based on if a user has been granted access to “Extension Attribute 1 - Name A”?

I am also looking to see if there is something I can do upstream, but business requirements may not be able to allow me to do this.

I was also thinking MAYBE there could be a rule created, but I have no Idea of the scope of this.

Potentially this could be done via Transforms and Attribute Sync of Identity Attributes. It can get tricky, especially if someone is in multiple “Extension Attribute” groups.

Below is a transform that uses a combination of FirstValid, AccountAttribute, and table transforms. It checks to see if a particular group exists on the Entra account, if it does then it would return the value you set for that particular group. If it doesn’t have the group, it checks for a secondary group. If neither of those groups are found, then the transform returns the static value at the end.

But since it is using FirstValid, the transform will stop checking groups as soon as a particular group is found. So you really need to define what group takes precedence and adjust the transform as needed.

Using #IF statements, you could check to see if multiple groups are present, but that is much more complex.

{
        "name": "Extension Attribute Check",
        "type": "firstValid",
        "attributes": {
            "values": [
                {
                    "attributes": {
                        "input": {
                            "attributes": {
                                "values": [
                                    {
                                        "attributes": {
                                            "attributeName": "objectId",
                                            "sourceName": "<Entra SourceName>",
                                            "accountReturnFirstLink": true,
                                            "accountPropertyFilter": "(groups.contains(\"Extension Attribute 1 - Name A\"))"
                                        },
                                        "type": "accountAttribute"
                                    },
                                    {
                                        "attributes": {
                                            "value": "No"
                                        },
                                        "type": "static"
                                    }
                                ]
                            },
                            "type": "firstValid"
                        },
                        "table": {
                            "No": null,
                            "default": "<What you want to set the Attribute if in Extension Attribute 1 - Name B group>"
                        }
                    },
                    "type": "lookup"
                },
                {
                    "attributes": {
                        "input": {
                            "attributes": {
                                "values": [
                                    {
                                        "attributes": {
                                            "attributeName": "objectId",
                                            "sourceName": "<Entra SourceName>",
                                            "accountReturnFirstLink": true,
                                            "accountPropertyFilter": "(groups.contains(\"Extension Attribute 1 - Name B\"))"
                                        },
                                        "type": "accountAttribute"
                                    },
                                    {
                                        "attributes": {
                                            "value": "No"
                                        },
                                        "type": "static"
                                    }
                                ]
                            },
                            "type": "firstValid"
                        },
                        "table": {
                            "No": null,
                            "default": "<What you want to set the Attribute if in Extension Attribute 1 - Name B group>"
                        }
                    },
                    "type": "lookup"
                },
                {
                    "attributes": {
                        "value": "<What you want to set the Attribute if not in any of the Extension Attribute Groups>"
                    },
                    "type": "static"
                }
            ]
        }
    }

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.