XML Arguments in a Rule

Identity Security Cloud (ISC) ISC Discussion and Questions
,
1

I’ve been told I can use arguments in the XML that are set in a transform or an account creation profile.

What would it look like in a transform if I’m setting multiple source ID values to send to be called by a rule in a Transform? What would it look like in the XML argument? And what would it look like in the code itself referencing the XML argument?

With the source id values being multi-valued, how do I represent it in an array in how I set it on the transform and then provide it to the code?

I currently am using and tested the below logic as a static value. How would I represent this in the JSON / transform / creation profile? Would it be something like: “{31170}{31171}{31173}{31174}{31175}”? The static code I have currently is:

List DEPT_IDS = new ArrayList( Arrays.asList( new String[]{"31170","31171","31172","31173","31174","31175"}));

This is a static value that I currently have in the rule that I want to move to the transform and reference it. Would the source ID values be handled the same way as an array list? How do I have it stored in the transform, called in the XML and presented in code?

Example logic of using the Source ID values in code.

if (idn.attrSearchCountAccounts(SOURCE_IDS, "userPrincipalName", SEARCH_OP, searchValues) == 0 && idn.attrSearchCountAccounts(SOURCE_IDS, "userPrincipalName", SEARCH_OP, secondarySearchValues) == 0) {
            isUnique = true;
        }else {
            isUnique = false;
        }
        return isUnique;
    }

We might need two separate rules. One for the UPN generation on creation and another to synchronize a unique UPN on a last name change. Not too excited about the risks of automating the UPN on a last name change. Any recommendations on automating UPN and email address changes on a last name change?

2

Hey Fred, how are you?

You can simple create the arguments exactly as any rule In IIQ or any Rule on IDN , check this out:
If is a Cloud Rule:

Rule  language="beanshell" name="Location" type="AttributeGenerator">
  <Description>else</Description>
  <Signature returnType="Object">
    <Inputs>
      <Argument name="log">
        <Description>
          The log object associated with the SailPointContext.
        </Description>
      </Argument>
      <Argument name="context">
        <Description>
          A sailpoint.api.SailPointContext object that can be used to query the database if necessary.
        </Description>
      </Argument>
      <Argument name="identity">
        <Description>
          The Identity object being provisioned.
        </Description>
      </Argument>
      <Argument name="form">
        <Description>
          The Form object for the provisioning plan.
        </Description>
      </Argument>
      <Argument name="field">
        <Description>
          The Field object being analyzed.
        </Description>
      </Argument>
    </Inputs>

if is a connector rule you just add it on the arguments piece.

Now abou the Namechange, there is some problems with it. First when you cange the UPN or SAM , and depending on how you companny use the DN it will loose the correlation.

What i’ve done is do the changes on non -working hours, and in the powershell script. in the end i would call a AD Aggregation to re-aggregate the account.

Hope this helps

3

So in the beanshell do I need to declare the variable for what is in the XML?

If in the xml I have:

<Argument name="domain" type="java.lang.String">
                <Description>
                    email domain
                </Description>
            </Argument>

Is this implying that it is already declaring it as a variable and that I can just reference it like I would any variable?

example:
firstUPN = fName + “.” + mInitial + “.” + lName + domain;

If the value in the transform or creation profile shows “domain”: “@example.com”, then the output of the above line could be ..@example.com?

Would a creation profile possibly look like something below:

{
            "name": "userPrincipalName",
            "transform": {
                "type": "rule",
                "attributes": {
                    "name": "UniqueUPN",
                    "domain": "@example.com",
                    "sourceIds": "9de1f3abc3354d7582845ce573a49e95,9e7c490a8e924dbb8b00f9ebe19b940f"
                }
            },
            "attributes": {},
            "isRequired": false,
            "type": "string",
            "isMultiValued": false
        },

Also, how would I input multiple sourceIds above in the creation profile? We are looking to query multiple AD sources to validate a unique UPN.

4

yeah , you just need to transform the string into a List and you’re good to go.

Yeap. :slight_smile:

1 Like