You don’t need to write static transform for this requirement, you can make use of OOTB transforms.
You don’t need to create identity attribute for password, you can pass custom transform for password attribute in your create provisioning policy form. Just use below attribute definition for password attribute in your AD create provisioning policy form.
If you like to notify user the password, then you can make use of Native Rules.
Connector After Create Rule which will trigger after AD account is created, you can build PowerShell script to generate the same password again and to notify user/manager through email/sms.
Password is secret, it will be encrypted. In IDN we cannot decrypt, that is why we need to re-generate the password. You can check this doc for more info.
https://community.sailpoint.com/t5/IdentityNow-Articles/Best-Practices-for-Provisioning-with-Passwords-in-IdentityNow/ta-p/75459
{
"name": "password",
"transform": {
"attributes": {
"values": [
{
"attributes": {
"input": {
"attributes": {
"begin": 0,
"end": 2,
"input": {
"attributes": {
"sourceName": "HR Source",
"attributeName": "lastName"
},
"type": "accountAttribute"
}
},
"type": "substring"
}
},
"type": "upper"
},
{
"attributes": {
"name": "Cloud Services Deployment Utility",
"operation": "getEndOfString",
"numChars": "4",
"input": {
"attributes": {
"sourceName": "HR Source",
"attributeName": "employeeNumber"
},
"type": "accountAttribute"
}
},
"type": "rule"
},
{
"attributes": {
"input": {
"attributes": {
"name": "Cloud Services Deployment Utility",
"operation": "getEndOfString",
"numChars": "2",
"input": {
"attributes": {
"sourceName": "HR Source",
"attributeName": "firstName"
},
"type": "accountAttribute"
}
},
"type": "rule"
}
},
"type": "lower"
}
]
},
"type": "concat"
},
"attributes": {
"cloudRequired": "true"
},
"isRequired": false,
"type": "secret",
"isMultiValued": false
}