Now… One big question that I’ve is: If “IDN” tries to create a new account on API and the ID from “IDN” already exists into API, its possible to retry with an alternative username? Example… “IDN” ID is “user.example” and into my API already have an “user.example” with from another user… I can retry the creating process with “user.example.001”?
Have you set up “Create Account” Http Operation under Source Configuration? Once you have done this, you can modify the details being provisioned inside BeforeOperation rule, but there is more to it than simply generating a new ID. You need to consider which attributes are marked as AccountID and AccountName in your Account Schema, then how is the Correlation configured etc. If there is an account in your WS Source with an ID that matches an Identity in IDN, then you would want to correlate the same after Account Aggregation.
I’m on this step right now! Started setting up the “Create Account”. but I got stucked on this doubt…
Do you know about any post or tutorial that shows how to create a Before Operation rule in detail?
My account schema looks like this: id, name, national_id, employee_id
“Account Id” is setted up to “id” and “Account name” to “name”, for the correlation we not decided yet… but a way is use national_id && employee_id instead id…
So… this way I don’t need to worry with ID be equals in both sides… for BeforeOperation my logic will something like this
Check if ID exists in WS Source API
---- false: continue create without any edit
---- true: check if national_id && employee_id are equals:
--------- true: just correlate account
--------- false: change id for suffixed version and create account
And in this “Create Account” operation… I need pass to WS API the national_id && employee_id that are fields from IDN Identity (imported from SAP) this will be possible right?
While I was validating my logic I got a new doubt…
One new Identity was created on IDN… what is the operation that will be triggered to this WebService Source… I need first import data again to first try correlate this IDN Identity to an WSSource Account? When I request access how IDN deal with this? Its “Create Account” opperation that will be called? or IDN try a “Get Object” first?
Hi Leonard,
Any fields you will use for correlation, you need to make sure they are unique on both sides. Otherwise you will get unexpected results (most likely accounts will be uncorrelated). And correlation is an important part of Identity Management on multiple sources.
Under Source > Accounts Tab > Create Account, you can set all fields that need to be provisioned during Create Account Operation. Also, you may use Account Sync to configure the fields that are to be updated at target source when the values change in IDN.
Provisioning is a complex process and IDN checks many things before finalizing ProvisionPlan package. Usually the Provisioning process is triggered when you assign an entitlement from the target source to any user in IDN. Initially IDN will check if the user already has an account in target source (by means of correlated accounts) and if yes, then an Update operation is carried out. If no, then Create Account. It is always best to let IDN decide if there is an account already present at target source and decide the operation to be carried out. So in my opinion you should leverage the correlation process to link accounts by ID as well. This way you will never have a situation where there will be a different account at target source with the ID that exists in IDN.
If you really need to check if there exists an account with the ID, you can use IdnRuleUtil. countIdentitiesBySearchableIdentityAttribute method after creating a searchable attribute.
Now I’m trying to trigger an account create process from IDN… I took some screenshots from my Source configuration, and as you can see, the create account still disabled telling me that don’t have any profile access for this source, but when I go check I got 2… How can I enable this?
Hi Leonardo,
Have you set up “Create Account” under Edit Configuration > Http Operations? This is where you provide details on how to configure your source API for creating an account in your Web system. Most likely, you will have a requestBody format here (either in xml or json format)
Yeah… I’ve a Create Account http operation… but I really need an BeforeOperation rule? All logic that I commented above in the first posts I will do it in my application… I just need post the data to API
As the requestBody seems straightforward you may not need the BeforeOperation rule as you may not have to add any custom data created during provisioning process.
However, you need the “Criar Conta” set up to feed data to the requestBody. This is where you will define the variables you have used in the requestBody (displayName, email, matricula etc)
Yes you can trigger a Create Account type Provisioning by Granting an Entitlement from the source to an Identity.
I have not seen any document that explains usageType, but the names are pretty self explanatory. Like CREATE is for Create Account, UPDATE is for Updating an account etc. You can refer to the Connector Guides to check which type is supported by a specific Source type.
Also, the attribute names in the requestBody of Http Operations > Create Account configuration ($plan.attributeName$) should match the attribute names under “Crear Conta” (nome)