Validating an entitlement in a transform

Identity Security Cloud (ISC) ISC Discussion and Questions
,
1

I have the group created in AD with the same name as below, and the sAMAccountName looks right for the group membership. But I can’t get it to return an “IN GROUP” response.

I have done an aggregation and I see the entitlement in IDN with the entitlement showing the individual.

When I look through the logs I don’t see anything with the group name.

The transform is:

{
    "id": "9520e777-78ad-4769-b8ac-76fa5302c616",
    "name": "fp-entitlementLookup2",
    "type": "static",
    "attributes": {
        "groupMember": {
            "attributes": {
                "ignoreErrors": "false",
                "values": [
                    {
                        "attributes": {
                            "sourceName": "Fred - AD",
                            "attributeName": "sAMAccountName",
                            "accountPropertyFilter": "(Groups.containsAll({\"Privileged Admins\"}))"
                        },
                        "type": "accountAttribute"
                    },
                    "NONE"
                ]
            },
            "type": "firstValid"
        },
        "value": "#if($groupMember == 'NONE')NOT IN GROUP#{else}IN GROUP#end"
    },
    "internal": false
}
2

Hi @ts_fpatterson,

Try changing your filter as below :

"accountPropertyFilter": "(memberOf.containsAll({\"CN=Privileged Admins,OU=TST,DC=net\"}))"

use memberOf instead of Groups and use the full DN of the group.

2 Likes
3

Thank you!!

I had to also fix the case sensitivity on the DN.

It was interesting that the case sensitivity was needed in the transform for the group dn. Usually with LDAP it is case insensitive. However, it looks like the contains is after the LDAP request and not a result of an LDAP operation.

4

Can anyone point me to a reference that shows all the operations allowed in accountPropertyFilter? I found the Java Docs section but I admittantly don’t really know what I’m looking at.

I currently have something like this: “attributes”: {
“accountPropertyFilter”: “(roles.contains("PROD")) || (roles.contains("DEV"))”,
“attributeName”: “email”,
“sourceName”: “Snowflake Federal VA”

But what I REALLY want is this to say “If account has ANY roles in the source” because I have no guarantee someone will always follow the same naming convention of the role names. Can I use a wild card? Is there a notnull operator? If exists? I played around with it but without a solid reference I’m figuratively ‘peeing in the wind’. Thanks in advance!
-Kevin

5

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.