IdentityNow Transforms - Account Attribute

IdentityNow Transforms - Account Attribute

Overview

The account attribute transform is designed to look up an account for a particular source on an identity, and return a specific attribute value from that account.

Other Considerations

  • If there are multiple accounts, then IdentityNow by default takes the value from the oldest account (based on the account created date). This behavior can be configured, by specifying accountSortAttribute and accountSortDescending attributes.
  • If there are multiple accounts, and the oldest account has a null attribute value, by default IdentityNow moves to the next account which may have a value (if there is any). This behavior can be overridden with the accountReturnFirstLink property.
  • The multiple accounts that are returned can be filtered out based on the data it contains, so that you can target specific accounts over other accounts. This is often used to target accounts which are "active" over those that might not be.

 

Transform Structure

As indicated above, the account attribute transform may take several attributes as inputs into the configuration. The below example shows a fully configured transform with all required and optional attributes.

Example

{
  "attributes": {
    "sourceName": "Workday",
    "attributeName": "DEPARTMENT",
    "accountSortAttribute": "created",
    "accountSortDescending": true,
    "accountReturnFirstLink": true,
    "accountPropertyFilter": "(DEPARTMENT == \"Engineering\")",
    "accountFilter": "!(nativeIdentity.startsWith(\"*DELETED*\"))"
  },
  "type": "accountAttribute",
  "name": "Test Account Attribute Transform"
}

Attributes

  • Required Attributes

    • type - This must always be set to accountAttribute

    • name - This is a required attribute for all transforms, and represents the name of the transform as it will appear in the UI's dropdowns

    • sourceName - A reference to the source to search for accounts.

      • This is a reference by a source's display name attribute (e.g. Active Directory). If the display name is updated, this reference will also need to be updated.

      • As an alternative an applicationId or applicationName can be provided instead.

        • applicationId - This is a reference by a source's external GUID/ID attribute (e.g. "ff8081815a8b3925015a8b6adac901ff")
        • applicationName - This is a reference by a source's immutable name attribute (e.g. "Active Directory [source]")
    • attributeName - The name of the attribute on the account to return. This should match the name of the account attribute name visible in the user interface, or on the source schema.

  • Optional Attributes

    • requiresPeriodicRefresh - A true or false value that indicates whether the transform logic should be re-evaluated every evening as part of the identity refresh process.
    • accountSortAttribute - The value of this configuration is a string name of the attribute to use when determining the ordering of returned accounts when there are multiple entries.

      • Accounts can be sorted by any schema attribute.
      • If no sort attribute is defined, the transform will default to "created" (ascending sort on created date - oldest object wins)
    • accountSortDescending - The value of this configuration is a boolean (true/false). Controls the order of the sort when there are multiple accounts.

      • If not defined, the transform will default to false (ascending order)
    • accountReturnFirstLink - The value of this configuration is a boolean (true/false). Controls which account to source a value from for an attribute. If this flag is set to true, the transform returns the value from the first account in the list, even if it is null. If it is set to false, the transform returns the first non-null value.

      • If not defined, the transform will default to false.
    • accountFilter - This expression queries the database to narrow search results. The value of this configuration is a sailpoint.object.Filter expression and used when searching against the database. The default filter will always include the source and identity, and any subsequent expressions will be combined in an AND operation to the existing search criteria.

      • Only certain searchable attributes are available:

        • nativeIdentity - the Account ID
        • displayName - the Account Name
        • entitlements - a boolean value to determine if the account has entitlements
    • accountPropertyFilter - This expression is used to search and filter accounts in memory. The value of this configuration is a sailpoint.object.Filter expression and used when searching against the returned resultset.

      • All account attributes are available for filtering as this operation is performed in memory.

      • Examples:

        • (status != "terminated")
        • (department == "Engineering")
        • (groups.containsAll({"Admin"}) || location == "Austin")
    • input - This is an optional attribute that can explicitly define the input data which will be fed into the transform logic. If input is not provided, the transform will take its input from the source and attribute combination configured via the UI.

 

Examples

Example 1

{
  "attributes": {
    "attributeName": "HIREDATE",
    "sourceName": "Corporate HR",
    "accountSortAttribute": "created",
    "accountSortDescending": true,
    "accountReturnFirstLink": true,
    "accountPropertyFilter": "(WORKER_STATUS__c == \"active\")"
  },
  "type": "accountAttribute",
  "name": "Test Account Attribute Transform"
}

HR systems can sometimes have multiple HR records for a person - especially true in rehire and conversion scenarios. In order to get the correct identity data, we want to get data from only the latest, active accounts.

  • sourceName is "Corporate HR" because that is the name of our authoritative source.

  • attributeName is "HIREDATE" because that is the attribute we're interested in from our authoritative source.

  • accountSortAttribute is "created" because we want to sort on created dates, in case there are multiple accounts.

  • accountSortDescending is true because we want to sort based on the newest / latest account from the HR system.

  • accountReturnFirstLink is true because we want to return the value of HIREDATE, event if it is null.

  • accountPropertyFilter essentially is filtering the accounts to look at active accounts only. Terminated accounts will not appear (assuming there are no data issues).

    • Note: We couldn't use accountFilter here because WORKER_STATUS__c is not a searchable attribute; but accountPropertyFilter works instead.

Example 2

{
  "attributes": {
    "attributeName": "sAMAccountName",
    "sourceName": "Active Directory",
    "accountFilter": "!(displayName.startsWith(\"SVC-\"))"
  },
  "type": "accountAttribute",
  "name": "Test Account Attribute Transform"
}

When mapping things like a username, we might want to focus on primary accounts from a particular source or accounts which aren't service accounts.

  • sourceName is "Active Directory" because that is the source where this data is coming from.

  • attributeName is "sAMAccountName" because we are mapping the username of the user.

  • accountFilter is an expression which is filtering the accounts to make sure they aren't service accounts.

    • Note: accountPropertyFilter would have worked just as well here.

 

References

  • N/A
Comments

Is there any reason why "startsWith" does not work on the accountPropertyFilter? (nor endsWith)

e.g. "accountPropertyFilter""(memberOf.startsWith(\"CN=abc\"))",

I'm assuming it's checking against the AD group "Value" which has the FQDN.
FYI - using contains works! - and I've tried even comparing the full value (case sensitive).
@piyush_khandelwal ?

In case of multi valued attribute, it is returning only first value. How can I get all values in case if account attribute value type is list ?

@sbhingare Using the "accountPropertyFilter", for example the "memberOf" in Active Directory source, it will check in all of the items, even it just displaying the first one it will check all of them.

Here is an example of a transform:

{
"type": "accountAttribute",
"attributes": {
"sourceName": "Active Directory",
"attributeName": "sAMAccountName",
"accountPropertyFilter": "memberOf.contains(\"<Ent1>\") || memberOf.contains(\"Ent2\")"
}
}
 
I've used it with firstValid, if the memberOf contains Ent1 or Ent2, it will display the sAMAccountName, if it not contains, it will display null, so I made firstValid to set a static value if the accountPropertyFilter pass the condition.
 
The use had 3 Entitlements when I did the test, it displays the first one but check in the other too.

Thanks @GuiNab , Actually my requirement is to assign all values in the multivalued account attribute to the identity attribute. I don't want to check if it contains certain value.

Version history
Revision #:
6 of 6
Last update:
‎Feb 08, 2022 04:22 AM
Updated by: