Velocity transform equivalent to getEndOfString on AD password generation for new account

I’m wanting to write a default password that has a given structure to ease HR on employee orientation. I have done this in a transform, to an IDN attribute, but then want to clear it or remove it once the account is created. I would rather not have it as an IDN attribute in the first place.

I don’t know how to do an end of string equivalent with velocity script. Example, get last 5 of phone number, or get the first 4 characters of the last name and upper case the first two characters, etc.

I have all of the needed variables to be able to call them in the velocity transform.

I have tried something like the below, but keep receiving errors.

#set($ln = $sn.substring(0,2).toUpperCase())
#set($empNumber = $employeeNumber.substring($employeeNumber.length()-4))
#set($fn = $givenName.substring($givenName.length()-2).toLowerCase())
$ln$empNumber$fn

What version of the Velocity Engine is IDN using?

This velocity script you mentioned, are you using it in a static transform ?

How do you notify user what password you set in account creation ?

As per my knowledge, not all operations of velocity script is supported.

We don’t notify the user their password, it is a structured password, so HR notifies them on their start date. Not the best solution, but something until they have a better way to handle account claiming.

Yes, a static transform.

You don’t need to write static transform for this requirement, you can make use of OOTB transforms.

You don’t need to create identity attribute for password, you can pass custom transform for password attribute in your create provisioning policy form. Just use below attribute definition for password attribute in your AD create provisioning policy form.

If you like to notify user the password, then you can make use of Native Rules.

Connector After Create Rule which will trigger after AD account is created, you can build PowerShell script to generate the same password again and to notify user/manager through email/sms.

Password is secret, it will be encrypted. In IDN we cannot decrypt, that is why we need to re-generate the password. You can check this doc for more info.

https://community.sailpoint.com/t5/IdentityNow-Articles/Best-Practices-for-Provisioning-with-Passwords-in-IdentityNow/ta-p/75459

{
    "name": "password",
    "transform": {
        "attributes": {
            "values": [
                {
                    "attributes": {
                        "input": {
                            "attributes": {
                                "begin": 0,
                                "end": 2,
                                "input": {
                                    "attributes": {
                                        "sourceName": "HR Source",
                                        "attributeName": "lastName"
                                    },
                                    "type": "accountAttribute"
                                }
                            },
                            "type": "substring"
                        }
                    },
                    "type": "upper"
                },
                {
                    "attributes": {
                        "name": "Cloud Services Deployment Utility",
                        "operation": "getEndOfString",
                        "numChars": "4",
                        "input": {
                            "attributes": {
                                "sourceName": "HR Source",
                                "attributeName": "employeeNumber"
                            },
                            "type": "accountAttribute"
                        }
                    },
                    "type": "rule"
                },
                {
                    "attributes": {
                        "input": {
                            "attributes": {
                                "name": "Cloud Services Deployment Utility",
                                "operation": "getEndOfString",
                                "numChars": "2",
                                "input": {
                                    "attributes": {
                                        "sourceName": "HR Source",
                                        "attributeName": "firstName"
                                    },
                                    "type": "accountAttribute"
                                }
                            },
                            "type": "rule"
                        }
                    },
                    "type": "lower"
                }
            ]
        },
        "type": "concat"
    },
    "attributes": {
        "cloudRequired": "true"
    },
    "isRequired": false,
    "type": "secret",
    "isMultiValued": false
}
1 Like

@ts_fpatterson,

From my testing it seems like you cant do mathematical operations outside of setting a variable.

So when you do the $givenName.length()-2 in this block it wont work.

$givenName.substring($givenName.length()-2).toLowerCase()

I had success first determining the substring input value and then using it later like so.

#set($subLength = $givenName.length() - 2)$givenName.substring($subLenth).toLowerCase())

So in theory to fix your velocity it would look like:

#set($ln = $sn.substring(0,2).toUpperCase())
#set($subLength = $employeeNumber.length() - 4)
#set($empNumber = $employeeNumber.substring($subLength))
#set($subLength = $givenName.length() - 2)
#set($fn = $givenName.substring($subLength).toLowerCase())
$ln$empNumber$fn

Thanks Tyler!!

This got me in the right direction.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.