IdentityNow Transforms - First Valid

IdentityNow Transforms - First Valid

Overview

The first valid transform is useful for quickly doing an if/then/else operation on several different data points to return the first piece of data that is not null. It is commonly used for the SailPoint User Name (uid) attribute, where a value is required for every identity, but the desired information is not yet available (e.g., Active Directory username). In such cases, a first valid transform can be used to populate the uid attribute with the user's linked Active Directory account information if it is not null, otherwise use a different attribute from a source that the user does have like his/her employee number.

Other Considerations

  • N/A

 

Transform Structure

The first valid transform requires an array list of values that should be considered. These can be static strings or the return values of other nested transforms. It is important to note that the transform will return the first entry in the array that evaluates to a non-null value. Thus, the entries in the array should be provided in descending order of preference.

Example

{
  "attributes": {
    "values": [
      {
        "attributes": {
          "sourceName": "Active Directory",
          "attributeName": "sAMAccountName"
        },
        "type": "accountAttribute"
      },
      {
        "attributes": {
          "sourceName": "Okta",
          "attributeName": "login"
        },
        "type": "accountAttribute"
      },
      {
        "attributes": {
          "sourceName": "HR Source",
          "attributeName": "employeeID"
        },
        "type": "accountAttribute"
      }
    ]
  },
  "type": "firstValid",
  "name": "Test First Valid Transform"
}

Attributes

  • Required Attributes

    • type - This must always be set to firstValid
    • name - This is a required attribute for all transforms, and represents the name of the transform as it will appear in the UI's dropdowns
    • values - An array of attributes to evaluate for existence
  • Optional Attributes

    • requiresPeriodicRefresh - A true or false value that indicates whether the transform logic should be re-evaluated every evening as part of the identity refresh process.
    • ignoreErrors - a true or false value representing to move on to the next option if an error (like an NPE) were to occur.

 

Examples

Example 1

{
  "attributes": {
    "values": [
      {
        "attributes": {
          "sourceName": "Active Directory",
          "attributeName": "sAMAccountName"
        },
        "type": "accountAttribute"
      },
      {
        "attributes": {
          "sourceName": "Okta",
          "attributeName": "login"
        },
        "type": "accountAttribute"
      },
      {
        "attributes": {
          "sourceName": "HR Source",
          "attributeName": "employeeID"
        },
        "type": "accountAttribute"
      }
    ]
  },
  "type": "firstValid",
  "name": "Test First Valid Transform"
}

This transform will first attempt to return the user's sAMAccountName from his/her Active Directory account. In the event that the user does not have an Active Directory account, the transform will then attempt to return the user's Okta login. If the Okta login is also blank, the transform will return the user's employee ID from his/her HR record.

Example 2

{
  "attributes": {
    "values": [
      {
        "attributes": {
          "sourceName": "Active Directory",
          "attributeName": "mail"
        },
        "type": "accountAttribute"
      },
      {
        "attributes": {
          "value": "none"
        },
        "type": "static"
      }
    ]
  },
  "type": "firstValid",
  "name": "Test First Valid Transform"
}

This transform is often used to populate the Work Email identity attribute. Since the Work Email attribute is a required field for a valid identity, it cannot be blank. However, oftentimes for new hires, the user will not have an Active Directory account and/or email provisioned until after the user has been. A common practice in this situation is to return a static string of "none" to ensure that this required attribute does not remain empty.

Example 3

{
"attributes": {
"ignoreErrors": "true",
"values": [
{
"attributes": {
"value": "$identity.manager.attributes.networkDn"
},
"type": "static"
},
""
]
},
"name": "Example_Transform_ManagerDN",
"type": "firstValid"
}

This transform is often used to populate an attribute called Manager DN. It pulls the manager of the identity, then gets the Identity Attribute "Network DN" for the manager where "Network DN" should pull directly from distinguishedName in AD. This simple transform allows you to set a user's manager's DN as an Identity Attribute to allow for Attribute Sync down to AD. Without ignoreErrors set to true, this transform would throw a Null Pointer Exception (NPE) for any user without a manager. With ignoreErrors set to true, the first value in the firstValid would throw an error for users without a manager which would get ignored. Then it will pick the empty string to set the Manager DN Identity Attribute to.

 

References

  • N/A
Comments

Hi,

I have a requirement to populate manager based on data from two different source. To illustrate, in source 1 i have one field as managerid  and source 2 i have one field as manager.. If managerid in source 1 is null then whatever value is coming from source 2 that should be populated for manager. I used FirstValid transform for this however i am unable to achieve the required result. It is always taking value from source 1 even though it is NULL.

 

Sample Transform:

{
"attributes": {
"values": [
{
"attributes": {
"sourceName": "EmployeeDemo",
"attributeName": "managerid"
},
"type": "accountAttribute"
},
{
"attributes": {
"sourceName": "TransportDemo",
"attributeName": "Manager"
},
"type": "accountAttribute"
}
]
},
"type": "firstValid",
"id": "EmpDemo Manager Transform"
}

 

Sample Data:

EmployeeDemo:

EmployeeId,FirstName,LastName,Email,Status,PhoneNumber,Access,LifeCycleState,managerid,CompletedTraining
123,Reshu,Pratap,reshu.pratap@test.com,A,83434583045,Teams,active,123,001 002 321,Srimathi,Raman,srimathi.raman@test.com,A,23740240340,Skype,active,,002

TransportDemo:

EmployeeId,Address,VehichleNo,EmergencyContactNo,Manager
123,Kolkata,AG23445,54456676787,123
321,Chennai,CSK343454,3456754345,123

In above example for id 321, i am not passing managerid value. So my expectation is Manager value from TransportDemo should be returned as output since managerid is blank or null.

 

Kindly suggest.

 

Regards,

Reshu

 

 

 

 

 

 

Resolve the Manager id variable from both of the sources and then make a conditional expression to check NULL and return the result with positive condition or negative condition to build a conditional transform.

Version history
Revision #:
4 of 4
Last update:
‎Dec 09, 2021 03:48 PM
Updated by: