Validating an entitlement in a transform

I have the group created in AD with the same name as below, and the sAMAccountName looks right for the group membership. But I can’t get it to return an “IN GROUP” response.

I have done an aggregation and I see the entitlement in IDN with the entitlement showing the individual.

When I look through the logs I don’t see anything with the group name.

The transform is:

    "id": "9520e777-78ad-4769-b8ac-76fa5302c616",
    "name": "fp-entitlementLookup2",
    "type": "static",
    "attributes": {
        "groupMember": {
            "attributes": {
                "ignoreErrors": "false",
                "values": [
                        "attributes": {
                            "sourceName": "Fred - AD",
                            "attributeName": "sAMAccountName",
                            "accountPropertyFilter": "(Groups.containsAll({\"Privileged Admins\"}))"
                        "type": "accountAttribute"
            "type": "firstValid"
        "value": "#if($groupMember == 'NONE')NOT IN GROUP#{else}IN GROUP#end"
    "internal": false

Hi @ts_fpatterson,

Try changing your filter as below :

"accountPropertyFilter": "(memberOf.containsAll({\"CN=Privileged Admins,OU=TST,DC=net\"}))"

use memberOf instead of Groups and use the full DN of the group.


Thank you!!

I had to also fix the case sensitivity on the DN.

It was interesting that the case sensitivity was needed in the transform for the group dn. Usually with LDAP it is case insensitive. However, it looks like the contains is after the LDAP request and not a result of an LDAP operation.