How to Search Non-Indexed Account Attributes in IDN Rules for Uniqueness

How to Search Non-Indexed Account Attributes in IDN Rules for Uniqueness

This article will show how to use the recently released feature on creating indexed attributes which can be referenced in rules to do uniqueness searches and generate attributes like sAMAccountName / email / userPrincipalName etc.

It allows you to search accounts across sources to determine if a specific attribute value is already in use in those sources and help generate a new unique value.

Lets take a use case and a walkthrough on how you can set this up

Use Case

We want to generate a new email address which must have a unique prefix (firstname.lastname@) by checking against the “mail”, “userPrincipalName”, “proxyAddresses” attributes across 3 x AD connectors. 

Note: Sources don’t have to be AD explicitly and can be virtually any source (AAD, ServiceNow, Okta, Workday etc) 

Design

High Level Steps are

  • Identify Source ID and attributes
  • Create Searchable Attributes
  • Do an unoptimised aggregation if source already exists (like production tenant) to populate these searchable attributes.
  • Use new methods in rules to search for uniqueness

 

 Identify Source ID and Attributes

Now we have 3 x AD source in our design. For each of them we need to get their sourceID. You can fetch them with an API call

GET {{api-url}}/cc/api/source/get/{{source-id}}
import sailpoint.object.Identity;
import org.apache.commons.lang.StringUtils;

List proxyAddressSources = new ArrayList(Arrays.asList(new String[] {
    "2c9180867745f3b10177469563be7451d",
    "2c9180867745f3b10177469563be7451e",
    "2c9180867745f3b10177469563be7451f"
}));

List upnSources = new ArrayList(Arrays.asList(new String[] {
    "2c9180867745f3b10177469563be7451d",
    "2c9180867745f3b10177469563be7451e",
    "2c9180867745f3b10177469563be7451f"
}));

List mailSources = new ArrayList(Arrays.asList(new String[] {
    "2c9180867745f3b10177469563be7451d",
    "2c9180867745f3b10177469563be7451e",
    "2c9180867745f3b10177469563be7451f"
}));

public String generateUniqueEmail(String fName, String lName, int iteration) throws Exception {
    if (iteration > 99) {
        throw new Exception("emailPrefix counter limit 99!");
    }
	switch ( iteration ) {
		case 0:
			String emailPrefix = fName + "." + lName;
			break;
		default:
			String emailPrefix = fName + "." + lName + String.valueOf(iteration)
			break;
    }

    if (isUnique(emailPrefix)) {
        return emailPrefix;
    } else {
        return generateUniqueEmail(fName, lName, iteration + 1);
    }
}

public boolean isUnique(String emailPrefix) {

    String startWithOp = "StartsWith";
    boolean isUnique = true;
    List searchValues = new ArrayList(Arrays.asList(new String[] {
        "smtp:" + emailPrefix + "@", "sip:" + emailPrefix + "@"
    }));

    // check proxy addresses
    if (idn.attrSearchCountAccounts(proxyAddressSources, "allProxyAddresses", startWithOp, searchValues) == 0) {
        // check UPNs
        searchValues = new ArrayList(Arrays.asList(new String[] {
            emailPrefix + "@"
        }));
        if (idn.attrSearchCountAccounts(upnSources, "allUserPrincipalNames", startWithOp, searchValues) == 0) {
            // check mails
            if (idn.attrSearchCountAccounts(mailSources, "allMailAddresses", startWithOp, searchValues) > 0) {
                isUnique = false;
            }
        } else {
            isUnique = false;
        }
    } else {
        isUnique = false;
    }
    return isUnique;
}


String generatedUniqueEmail = null;

if (identity != null) {

    String emailSuffix = StringUtils.trimToNull(identity.getAttribute("emailSuffix"));
    String fname = StringUtils.trimToNull(identity.getAttribute("firstname"));
    String lname = StringUtils.trimToNull(identity.getAttribute("lastname"));

    if (fname != null && lname != null && emailSuffix != null) {

        fname = fname.replaceAll("[^a-zA-Z0-9]", "");
        fname = fname.toLowerCase();

        lname = lname.replaceAll("[^a-zA-Z0-9]", "");
        lname = lname.toLowerCase();

        generatedUniqueEmail = generateUniqueEmail(fname, lname, 0) + emailSuffix;
    }
}

return generatedUniqueEmail;​
Labels (1)
Comments

Hello,

I think something is missing on the increment part.

With this, the increment is never used : 

public String generateUniqueEmail(String fName, String lName, int iteration) throws Exception {
    if (iteration > 99) {
        throw new Exception("emailPrefix counter limit 99!");
    }
    String emailPrefix = fName + "." + lName;

    if (isUnique(emailPrefix)) {
        return emailPrefix;
    } else {
        return generateUniqueEmail(fName, lName, iteration + 1);
    }
}

 Maybe you should update with adding a switch between : 

        throw new Exception("emailPrefix counter limit 99!");
    }

and 

    if (isUnique(emailPrefix)) {

Which give you someting like that : 

 throw new Exception("emailPrefix counter limit 99!");
    }
	switch ( iteration ) {
		case 0:
			String emailPrefix = fName + "." + lName;
			break;
		default:
			String emailPrefix = fName + "." + lName + String.valueOf(iteration)
			break;
	}

    if (isUnique(emailPrefix)) {

Please check and update or tell me if i'm wrong.

Best regards.

@pedrolit0 I feel like you are right.  But I am saying just by looking at the code and not really running it.  The iteration needs to run with an append of the new iteration count.

@pedrolit0 you are right. I had removed some specific logic from code to use as example here which caused the issue. Updated with your code. Thanks for pointing it out.

@piyush_khandelwal I just need to generate a unique id between 2000 and 5000, I was hoping there will be an attributGenerator OOB for that.  If you know of one, can you please help.

Version history
Revision #:
3 of 3
Last update:
‎May 31, 2022 04:54 AM
Updated by:
 
Contributors