IdentityNow Transforms - Account Attribute
Overview
The account attribute transform is designed to look up an account for a particular source on an identity, and return a specific attribute value from that account.
Other Considerations
- If there are multiple accounts, then IdentityNow by default takes the value from the oldest account (based on the account created date). This behavior can be configured, by specifying
accountSortAttribute
andaccountSortDescending
attributes. - If there are multiple accounts, and the oldest account has a null attribute value, by default IdentityNow moves to the next account which may have a value (if there is any). This behavior can be overridden with the
accountReturnFirstLink
property. - The multiple accounts that are returned can be filtered out based on the data it contains, so that you can target specific accounts over other accounts. This is often used to target accounts which are "active" over those that might not be.
Transform Structure
As indicated above, the account attribute transform may take several attributes as inputs into the configuration. The below example shows a fully configured transform with all required and optional attributes.
Example
{
"attributes": {
"sourceName": "Workday",
"attributeName": "DEPARTMENT",
"accountSortAttribute": "created",
"accountSortDescending": true,
"accountReturnFirstLink": true,
"accountPropertyFilter": "(DEPARTMENT == \"Engineering\")",
"accountFilter": "!(nativeIdentity.startsWith(\"*DELETED*\"))"
},
"type": "accountAttribute",
"name": "Test Account Attribute Transform"
}
Attributes
-
Required Attributes
-
type - This must always be set to
accountAttribute
-
name - This is a required attribute for all transforms, and represents the name of the transform as it will appear in the UI's dropdowns
-
sourceName - A reference to the source to search for accounts.
-
This is a reference by a source's display name attribute (e.g. Active Directory). If the display name is updated, this reference will also need to be updated.
-
As an alternative an
applicationId
orapplicationName
can be provided instead.applicationId
- This is a reference by a source's external GUID/ID attribute (e.g. "ff8081815a8b3925015a8b6adac901ff")applicationName
- This is a reference by a source's immutable name attribute (e.g. "Active Directory [source]")
-
-
attributeName - The name of the attribute on the account to return. This should match the name of the account attribute name visible in the user interface, or on the source schema.
-
-
Optional Attributes
- requiresPeriodicRefresh - A
true
orfalse
value that indicates whether the transform logic should be re-evaluated every evening as part of the identity refresh process. -
accountSortAttribute - The value of this configuration is a string name of the attribute to use when determining the ordering of returned accounts when there are multiple entries.
- Accounts can be sorted by any schema attribute.
- If no sort attribute is defined, the transform will default to "created" (ascending sort on created date - oldest object wins)
-
accountSortDescending - The value of this configuration is a boolean (true/false). Controls the order of the sort when there are multiple accounts.
- If not defined, the transform will default to false (ascending order)
-
accountReturnFirstLink - The value of this configuration is a boolean (true/false). Controls which account to source a value from for an attribute. If this flag is set to true, the transform returns the value from the first account in the list, even if it is null. If it is set to false, the transform returns the first non-null value.
- If not defined, the transform will default to false.
-
accountFilter - This expression queries the database to narrow search results. The value of this configuration is a sailpoint.object.Filter expression and used when searching against the database. The default filter will always include the source and identity, and any subsequent expressions will be combined in an AND operation to the existing search criteria.
-
Only certain searchable attributes are available:
nativeIdentity
- the Account IDdisplayName
- the Account Nameentitlements
- a boolean value to determine if the account has entitlements
-
-
accountPropertyFilter - This expression is used to search and filter accounts in memory. The value of this configuration is a sailpoint.object.Filter expression and used when searching against the returned resultset.
-
All account attributes are available for filtering as this operation is performed in memory.
-
Examples:
(status != "terminated")
(department == "Engineering")
(groups.containsAll({"Admin"}) || location == "Austin")
-
-
input - This is an optional attribute that can explicitly define the input data which will be fed into the transform logic. If
input
is not provided, the transform will take its input from the source and attribute combination configured via the UI.
- requiresPeriodicRefresh - A
Examples
Example 1
{
"attributes": {
"attributeName": "HIREDATE",
"sourceName": "Corporate HR",
"accountSortAttribute": "created",
"accountSortDescending": true,
"accountReturnFirstLink": true,
"accountPropertyFilter": "(WORKER_STATUS__c == \"active\")"
},
"type": "accountAttribute",
"name": "Test Account Attribute Transform"
}
HR systems can sometimes have multiple HR records for a person - especially true in rehire and conversion scenarios. In order to get the correct identity data, we want to get data from only the latest, active accounts.
-
sourceName
is "Corporate HR" because that is the name of our authoritative source. -
attributeName
is "HIREDATE" because that is the attribute we're interested in from our authoritative source. -
accountSortAttribute
is "created" because we want to sort on created dates, in case there are multiple accounts. -
accountSortDescending
is true because we want to sort based on the newest / latest account from the HR system. -
accountReturnFirstLink
is true because we want to return the value of HIREDATE, event if it is null. -
accountPropertyFilter
essentially is filtering the accounts to look at active accounts only. Terminated accounts will not appear (assuming there are no data issues).- Note: We couldn't use accountFilter here because WORKER_STATUS__c is not a searchable attribute; but accountPropertyFilter works instead.
Example 2
{
"attributes": {
"attributeName": "sAMAccountName",
"sourceName": "Active Directory",
"accountFilter": "!(displayName.startsWith(\"SVC-\"))"
},
"type": "accountAttribute",
"name": "Test Account Attribute Transform"
}
When mapping things like a username, we might want to focus on primary accounts from a particular source or accounts which aren't service accounts.
-
sourceName
is "Active Directory" because that is the source where this data is coming from. -
attributeName
is "sAMAccountName" because we are mapping the username of the user. -
accountFilter
is an expression which is filtering the accounts to make sure they aren't service accounts.- Note:
accountPropertyFilter
would have worked just as well here.
- Note:
References
- N/A
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Content to Moderator
Is there any reason why "startsWith" does not work on the accountPropertyFilter? (nor endsWith)
e.g. "accountPropertyFilter": "(memberOf.startsWith(\"CN=abc\"))",
I'm assuming it's checking against the AD group "Value" which has the FQDN.
FYI - using contains works! - and I've tried even comparing the full value (case sensitive).
@piyush_khandelwal ?
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Content to Moderator
In case of multi valued attribute, it is returning only first value. How can I get all values in case if account attribute value type is list ?
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Content to Moderator
@sbhingare Using the "accountPropertyFilter", for example the "memberOf" in Active Directory source, it will check in all of the items, even it just displaying the first one it will check all of them.
Here is an example of a transform:
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Content to Moderator
Thanks @GuiNab , Actually my requirement is to assign all values in the multivalued account attribute to the identity attribute. I don't want to check if it contains certain value.