Writeback of Attributes from ISC to NERM

Identity Security Cloud (ISC) ISC Community Knowledge Base
, ,
1

Problem

There was a requirement to writeback the SamAccountName of the user post AD provisioning back to NERM. The OOTB connector does not have any writeback functionality as of now due to which we had to use another approach for it.

Diagnosis

The OOTB NERM connector is not capable of performing writeback using attribute sync. Hence, we had to use a PowerShell Script which would get called in “ADAfterCreate“ connector rule

Solution

The Sample code for writeback is as follows.

# ===============================
# Input Parameters
# ===============================
param(
    [string]$samAccountName,
    #[string]$emailAddress,
	[string]$nermID
)

# ===============================
# Function: Write-Log
# ===============================
function Write-Log {
    param(
        [string]$Message,
        [ValidateSet("INFO", "ERROR", "WARN")]
        [string]$Level = "INFO"
    )

    # Format date: YYYYMMDD
    $dateString = (Get-Date).ToString("yyyyMMdd")

    # Build log file name with date suffix
    $logFileName = "NERM_WriteBack_$dateString.log"
    $logDirectory = "D:\Workspace\Scripts\Logs\"
    $LogFile = Join-Path -Path $logDirectory -ChildPath $logFileName

    # Ensure log directory exists
    if (-not (Test-Path -Path $logDirectory)) {
        New-Item -ItemType Directory -Path $logDirectory -Force | Out-Null
    }

    # Build log entry
    $timestamp = Get-Date -Format "yyyy-MM-dd HH:mm:ss"
    $entry = "$timestamp [$Level] - $Message"

    # Write to log file
    Add-Content -Path $LogFile -Value $entry
}


Write-Log -Message "NERM - WRITE BACK OF SAMAccountName :: STARTS" -Level INFO
Write-Log -Message "NULL CHECKS FOR INPUT PARAMETER - STARTS" -Level INFO
# ===============================
# Null/Empty Checks for Inputs
# ===============================
if ([string]::IsNullOrWhiteSpace($samAccountName) -or $samAccountName -eq "null") {
    Write-Log -Message "Input parameter 'samAccountName' is null/empty or invalid. Exiting script." -Level ERROR
    throw "Input Error: samAccountName cannot be null, empty, or 'null'."
}
<#
if ([string]::IsNullOrWhiteSpace($emailAddress) -or $emailAddress -eq "null") {
    Write-Log -Message "Input parameter 'emailAddress' is null/empty or invalid. Exiting script." -Level ERROR
    throw "Input Error: emailAddress cannot be null, empty, or 'null'."
}
#>
if ([string]::IsNullOrWhiteSpace($nermID) -or $nermID -eq "null") {
    Write-Log -Message "Input parameter 'nermID' is null/empty or invalid. Exiting script." -Level ERROR
    throw "Input Error: nermID cannot be null, empty, or 'null'."
}


Write-Log -Message "NULL CHECKS FOR INPUT PARAMETER - ENDS" -Level INFO
# ===============================
# Variables
# ===============================

Write-Log -Message "Token and URL initialization - STARTS" -Level INFO

# ===============================
# Load Bearer Token from Config File
# ===============================
$configPath = Join-Path -Path $PSScriptRoot -ChildPath "configs\NERM_TOKEN.config"

if (!(Test-Path -Path $configPath)) {
    Write-Log -Message "Config file not found at $configPath. Exiting." -Level ERROR
    throw "Config file missing: $configPath"
}

$configContent = Get-Content $configPath | Where-Object { $_ -match "^token=" }
if ($configContent -match "^token=(.+)$") {
    $token = $matches[1].Trim()
    Write-Log -Message "Token loaded from config file." -Level INFO
} else {
    Write-Log -Message "Token not found in config file. Exiting." -Level ERROR
    throw "Token not found in config file: $configPath"
}
Write-Log -Message "The Token Details required for NERM Connections is :: $token" -Level INFO

$url = "https://test-nerm-tenant.nonemployee.com/api/profiles/$nermID"

Write-Log -Message "The Final NERM URL is :: $url" -Level INFO

Write-Log -Message "Token and URL initialization - ENDS" -Level INFO

Write-Log -Message "Starting script for samAccountName: $samAccountName " -Level INFO
#$emailAddress = Get-ADUserEmailWithRetry -samAccountName $samAccountName

#if ($null -eq $emailAddress) {
#    Write-Log -Message "Terminating script: Email address not found for $samAccountName" -Level ERROR
#    throw "Email address not found for user: $samAccountName"
#}

#Write-Log -Message "Starting script for emailAddress extracted from Domain Controller : $emailAddress" -Level INFO


# ===============================
# JSON Payload
# ===============================
$body = @{
    profile = @{
        attributes = @{
            nerm_samaccountname = $samAccountName
            #nerm_email_address  = $emailAddress
        }
    }
} | ConvertTo-Json -Depth 3

Write-Log -Message "Constructed JSON Body: $body" -Level INFO

# ===============================
# Headers
# ===============================
$headers = @{
    "Authorization" = "Bearer $($token)"
    "Content-Type"  = "application/json"
    "Accept"        = "*/*"
    "User-Agent"    = "PostmanRuntime/7.42.0"
}

Write-Log -Message "Headers prepared with Bearer Token and Content-Type" -Level INFO

# ===============================
# API Request
# ===============================
try {
    Write-Log -Message "Sending PATCH request to URL: $url" -Level INFO
    $response = Invoke-RestMethod -Uri $url -Method Patch -Headers $headers -Body $body
    $responseJson = $response | ConvertTo-Json -Depth 5
    Write-Log -Message "Request successful. Response: $responseJson" -Level INFO
    Write-Output $responseJson
	Write-Log -Message "NERM - WRITE BACK OF SAMAccountName :: ENDS" -Level INFO
}
catch {
    Write-Log -Message "ERROR occurred during API call: $($_.Exception.Message)" -Level ERROR
    throw
}

The above was the powershell script which was called in “AD AFTER CREATE“ connector rule post AD account was created for the user.

1 Like