The transform documentation listed here is outdated and is nonger actively maintained. Please refer to https://developer.sailpoint.com/idn/docs/transforms for IdentityNow Transform documentation.
Hi,
Is there a way to create unique account attributes (not set as AccountID in account Schema) with a template array similar to this?
The 'Create Unique LDAP Attribute' generator uses just one pattern. Could an array be passed to it to check against multiple patterns similar to this transform?
Thanks in advance!
hey @hari_patel , @efrain_sanchez and @david_reeves .
How can i manage to use this transform for generate a unique samaccountName? I'm no able to do it een changing the AD Account ID to SamaccountName .
Can you guys hel pe ?
Here is the transform and the error i'm getting
An unexpected error occurred: Exception evaluating rule: Cloud Account Attribute Transform sailpoint.tools.GeneralException: The application script threw an exception: java.lang.IllegalStateException: Error generating account username for identity:
USER , appName: APPP Exception error msg: Exhausted patterns to generate a unique username BSF info: Cloud Account Attribute Transform at line: 0 column: columnNo
Hi all,
Currently only the Account Id attribute is supported to use the Username Generator for.
For other attributes where you might use the Create Unique LDAP Attribute Rule (like sAMAccountName or mail), please either continue to use that rule or create your own generator. Please see here for more assistance on Generator Rules.
Hi @hari_patel , @ross_shwarts , @efrain_sanchez , @david_reeves ,
I just tried to upload the transformation like in Example 1 from my Postman to Sailpoint.
Unfortunatelly I receive the follwoing Error message:
Hi there @Stephan_M ,
I had the same issue when I was trying to create a username generator transform not too long ago. The issue I had though was that I was trying to create the transform in the wrong Postman call.
I was originally trying to do a POST to "{{url}}/api/transform/create". Instead, what's required here is to do a GET call to "{{url}}/api/accountProfile/list/{{source number}}". The source number here is from whichever connector you want to use the username generator transform for.
The result will come back, and you'll see in the JSON for each attribute a spot for a transform. This is where the username generator transform is applied. You place it in, configured as you want it, and then include everything else that came back from that previous GET call when you then make a POST to "{{url}}/api/accountProfile/bulkUpdate/{{same source number}}".
I would first backup whatever you had come back in that GET call before making this POST call. If successful, you should be able to go to the Create Profile tab for the connector and see that a custom transform is being applied to the attribute you placed the transform under.
Let me know if this works for you,
Dan
Hi @Stephan_M , based on the error message, it looks like you are trying to create a transform from Example 1.
Please note the comments under Transform Structure. These examples are attribute configurations as part of an Account Profile (specifically, account create profile). These examples would be used for a source where the username is the Account Id rather than a source where the account Id is an internal system id (like Azure AD).
Also, you can use the beta APIs to handle updating the AccountProfiles (called Provisioning Policies in the APIs)
- List: https://developer.sailpoint.com/idn/api/beta/list-provisioning-policies
- Get: https://developer.sailpoint.com/idn/api/beta/get-provisioning-policy
- Update (via PUT): https://developer.sailpoint.com/idn/api/beta/put-provisioning-policy
I tried the simplest version from gui and still got below error:
Error generating a unique value, the exception was: java.lang.Exception: Unable to contact connector to generate unique value and is not retry-able. Action:UniqueAccountIdValidator: Calling getObject for objectType 'account' using id 'AdaPrats' and options '{cloudConfigOverrides={aggregateTimeout=30, disablePooling=true, timeout=30}}' on source 'Prod AD (Prov) [source]'. Exception: sailpoint.connector.ConnectorException: [ InvalidConfigurationException ] [ Error details ] Required string attribute 'User' is not defined.It must have a valid value.
This is snippet for samaccountname (Account ID for AD source) from the ‘CREATE’ Provisioning policy
{
"name": "sAMAccountName",
"transform": {
"attributes": {
"name": "Create Unique Account ID"
},
"type": "rule"
},
"attributes": {
"template": "$(firstname)$(lastname)$(uniqueCounter)",
"cloudMaxUniqueChecks": "5",
"cloudMaxSize": "100",
"cloudRequired": "true"
},
"isRequired": false,
"type": "",
"isMultiValued": false
},
Please suggest if anyone has clue what can cause this type of error
I am getting the same error while I am provisioning to AD. Have you resolved the issue?
Thanks.
What exactly does the cloudRequired attribute do? The article indicates:
The cloudRequired attribute is an internal flag required for the IdentityNow platform, and can simply be left as true.
If its only purpose is to be used internally, then why is it exposed? Would it be possible to update the article with a more clear explanation?
I also noticed there is another attribute, isRequried, which is set to false. Why would a Username not be required when creating a new account?
You should use "Create Unique LDAP Attribute".
So, instead of using
"name": "Create Unique Account ID"
rather use
"name": "Create Unique LDAP Attribute"
Also note that sAMAccountName has a limit of 20 characters, so you should set cloudMaxSize to 20.
"cloudMaxSize": "20",
@Louwrens I'm use the "Create Unique LDAP Attribute" rule with cloudMaxSize set to 16, since we have downsteam systems that have this limitation. The issue is that the rule trims the value to 16 chars, after adding the uniqueCounter, hence provisioning fails with the following error;
sailpoint.tools.GeneralException: Error running rule transform:sailpoint.tools.GeneralException: The application script threw an exception: java.lang.IllegalStateException: Unable to generate a unique value for Source[Staging Corp AD [source]] Field [sAMAccountName] after 20 retries. BSF info: Create Unique LDAP Attribute at line: 0 column: columnNo
@rk-cyderes ,
If you have "cloudMaxUniqueChecks": "20", then the "$(uniqueCounter)" values could be 1-20.
If you have " "cloudMaxSize": "16", then you only have 16 characters to work with.
This would mean that everything preceding "$(uniqueCounter)" should be 14 characters max, so that when you add one or two digits, that you don't exceed 16 characters.
"xxxxxsb.$(firstNameInitial)" = 9 characters
This would mean that "$(simplifiedLastname)" should be trimmed to max 5 characters.
Then the usernames would be anything from 10 - 16 characters long.
You are right, it works with a trimmed $(simplifiedLastname) to max 5 characters. However, I would have expected the rule to handle this. If I have to trim the input to manage the size, then the purpose of cloudMaxSize is not clear. Anyways, thanks for comfirming.
Also, can we set 2 digit numbers on the uniqueCounter, i.e., 01 instead of 1 and so on, until 09.