Connector Executed Rules

Connector-Executed Rules or Connector Rules are rules that are executed in the Identity Security Cloud virtual appliance, and they are usually extensions of the connector itself. The rules are commonly used to perform complex connector-related functions, so they are specific to only certain connectors. Because these rules execute in the virtual appliance, they do not have access to query the Identity Security Cloud data model or fetch information from Identity Security Cloud. They rely instead on contextual information sent from Identity Security Cloud. Connector-executed rules may also have managed connections provided in their contexts to support querying end systems or sources. Though these managed connections may be used, making additional connections or call-outs is not allowed.

Unlike cloud rules, connector rules do not have a rule review process and are directly editable with the Connector Rule REST APIs. For more details, see Configuration Process.

Supported Connector Rules

Rule Name	Rule Type	Source Type(s)	Purpose
Before Creation Rule	ConnectorBeforeCreate	Active Directory, Azure Active Directory	Executes PowerShell commands on the IQService component before a source account is created.
Before Modify Rule	ConnectorBeforeModify	Active Directory, Azure Active Directory	Executes PowerShell commands on the IQService component before a source account is modified.
Before Delete Rule	ConnectorBeforeDelete	Active Directory, Azure Active Directory	Executes PowerShell commands on the IQService component before a source account is deleted.
After Creation Rule	ConnectorAfterCreate	Active Directory, Azure Active Directory	Executes PowerShell commands on the IQService component after a source account is created.
After Modify Rule	ConnectorAfterModify	Active Directory, Azure Active Directory	Executes PowerShell commands on the IQService component after a source account is modified.
After Delete Rule	ConnectorAfterDelete	Active Directory, Azure Active Directory	Executes PowerShell commands on the IQService component after a source account is deleted.
Build Map Rule	BuildMap	Delimited File	Calculates and transforms data from a parsed file during the aggregation process. Note: This is only available for the Delimited File source type, not Generic source types.
JDBC Build Map Rule	JDBCBuildMap	JDBC	Calculates and transforms data from a database query result during the aggregation process. It can also perform additional calls back to the database. Note: This rule is available for the JDBC Generic source, as well as other sources that derive from the JDBC connector (e.g., Oracle EBS, PeopleSoft, etc.)
JDBC Provision Rule	JDBCProvision	JDBC	Executes database queries to perform provisioning of account and access for all account operations.
SAP Build Map Rule	SAPBuildMap	SAP HR, SAP	Calculates and transforms data from SAP during the aggregation process. It can also perform additional calls back to the SAP system using SAP BAPI calls.
SAP HR Provisioning Modify Rule	SapHrOperationProvisioning	SAP HR	Performs SAP HR modification operations during provisioning. Often used for attribute sync to custom SAP HR attributes.
Web Services Before Operation Rule	WebServiceBeforeOperationRule	Web Services	Executes before the next web-services HTTP(S) operation. Often used to calculate values.
Web Services After Operation Rule	WebServiceAfterOperationRule	Web Services	Executes after a web-services HTTP(S) operation. Often used to parse complex data.

Configuration Process

Connector Rules are directly editable with the Connector Rule REST APIs, which provide ability to interact with rules directly.

Name	Path
List Connector Rules	`GET /beta/connector-rules/`
Get Connector Rule	`GET /beta/connector-rules/[id]`
Create Connector Rule	`POST /beta/connector-rules/`
Update Connector Rule	`PUT /beta/connector-rules/[id]`
Delete Connector Rule	`DELETE /beta/connector-rules/[id]`
Validate Connector Rule	`POST /beta/connector-rules/validate`

SailPoint architectural optimizations have added resiliency and protections against malformed or long-running rules. These APIs also offer built-in protection and checking against potentially harmful code. For more information, see Rule Code Restrictions.

Connector Rule Object Model

{
    "id": "2c91808674a2816a0174af21a6450009",
    "name": "Example WebServices Rule",
    "description": "This is just an example",
    "created": "2020-09-21T05:27:32.170Z",
    "modified": null,
    "type": "WebServiceBeforeOperationRule",
    "signature": {
        "input": [],
        "output": null
    },
    "attributes": {
        "sourceVersion": "2020-09-21 05:27:31"
    },
    "sourceCode": {
        "version": "2020-09-21 05:27:31",
        "script": "\n      import java.util.HashMap;\n      import org.json.JSONArray;\n      import org.json.JSONException;\n      import org.json.JSONObject;\n\n      import org.apache.http.HttpEntity;\n      import org.apache.http.HttpResponse;\n      import org.apache.http.client.HttpClient;\n      import org.apache.http.client.methods.HttpPost;\n      import ...
requestEndPoint.getBody().put(\"jsonBody\",requestXML); \n              }\n        }\n    }\n    log.info(\"Done Ultipro Onboarding before operation rule...\");\n    return requestEndPoint;\n"
    }
}

id - Unique UUID that the REST APIs refers to this rule by. This is generated on creation.
name - Name the user interface and references may use to refer to this rule.
description - Description of the rule’s purpose or usage.
created - Timestamp when the rule was created.
modified - Timestamp when the rule was last modified. The default is null.
type - Type of connector rule. For a list of supported rule types, see Supported Connector Rules.
signature - The list of input variables and the output variable of the rule. These can be found in the corresponding sections of the Rule Documentation. NOTE: Adding additional values will not bring in new variables.
- input - The list of the input variables. This can be found in the Rule documentation's Input section.
- output - The output variable for the rule. This can be found the Rule documentation's Output section.
attributes - List of attributes.
- sourceVersion - String indicating the rule's version. Typically, this is the same as version.
sourceCode - Object housing the actual source code that makes the rule work.
- version - String indicating the rule's version. Typically, this is the same as sourceVersion.
- script - Rule’s code the connector runs. This must be an escaped string. For help with formatting, use an escaping tool like Free Formatter.

Once a connector-related rule has been imported to your tenant, you must configure any sources that need to reference that rule during the desired operation. You can accomplish this configuration through the execution of an API call on the source. The following examples all use a PATCH operation for a partial source update, but PUT operations work too, as long as the entire source object model is provided.

For the PATCH operations, you must provide an op key. For new configurations, this key is typically set to add as the example shows, but they can be any of the following:

add - Add a new value to the configuration. Use this operation if this is the first time you are setting the value, i.e. it has never been configured before.
replace - Use this operation to change the existing value. Use this operation if you are updating the value, i.e. you want to change the configuration.
remove - Removes a value from the configuration. Use this operation if you want to unset a value. Caution: Removals can be destructive if the path is improperly configured. This can negatively alter your source config.