Username Generator transform in Enable Provisioning Policy

Identity Security Cloud (ISC) ISC Discussion and Questions
, ,
1

Hi all.

We have used the Username Generator transform in our CREATE provisioning policy and it works fine for the following logic:

 {
  "name": "distinguishedName",
  "transform": {
      "type": "usernameGenerator",
      "attributes": {
          "sourceCheck": true,
          "patterns": [
              "CN=$cn,$ouPath",
              "CN=$cn${uniqueCounter},$ouPath"
          ],
          "cn": {
              // get the CN value
          },
          "ouPath": {
              // get the OU path
          }
      }
  },
  "attributes": {
      "cloudMaxUniqueChecks": "50",
      "cloudMaxSize": "255",
      "cloudRequired": "true"
  },
  "isRequired": false,
  "type": "string",
  "isMultiValued": false
}

However, in our use case, when we are enabling the account, we want the CN value to be a new unique value, for example,
CN=John Doe → CN=John Doe1

and since username generator can only be used on accountID, i.e., distinguishedName, what we have tried to do is still placing the same JSON object for distinguishedName attribute in the ENABLE provisioning policy and below this attribute, we have added:

 {
    "name": "AC_NewName",
    "transform": {
        "type": "split",
        "attributes": {
            "delimiter": ",",
            "index": 0,
            "input": {
                "attributes": {
                    "value": "$distinguishedName"
                },
                "type": "static"
            }
        }
    },
    "attributes": {},
    "isRequired": false,
    "type": "string",
    "isMultiValued": false
  },

However, with this configuration, we can see that the CN value is not updated to the expected new value.

Appreciate any input and advice on this!

2

What is the value of new DN? Is it the same

3

Yes. The new DN value in the attribute request is still the same as the old one.

4

Hi @sjoyee,

I think you should consider creating an Enable Provisioning Policy through this API. This will have the similar content as Create Account Policy but this new policy will be used for Enable operation.

5

This provisioning policy won’t be visible in UI and has to be maintained/updated using API only.

6

Vs code plugin also can be used to manage policies

7

Hi @atarodia, thanks for the input! However, we have already created the Enable Provisioning Policy just like Create Provisioning Policy, where the following JSON specified is actually already in the Enable provisioning policy, but not working.

8

Instead of using this transform, we have decided to attach Attribute Generator cloud rule in the ENABLE provisioning policy for generating new unique distinguishedName value and it works.

Thanks all for the input.

1 Like