Manipulating Identities
In this blog post, I will guide you through the effective utilization of pre and post processors during identity collections to address common use cases. If you are not familiar with data processors, I recommend reading the Data Processors Basics before proceeding, as it will provide a foundational understanding for the concepts discussed in this blog.
Enabling Data Processors
Data processing is an advanced feature that requires explicit activation by the System Administrator. To enable this feature, follow the steps outlined below:
- Login to console as System Administrator
- Navigate to Admin > System.
- Click on Edit
- Under Custom, add enableCustomPostProcessingScript with value true
- Click Save
- Click OK.
Set termination status based on Active Directory accountExpires value
In this specific use case, our goal is to gather user identities from Active Directory, including the accountExpires attribute, which indicates the expiration date of an account. Upon collecting this identity information in G&L, our objective is to label the identity as terminated if the accountExpires value is greater than or equal to the current date.
To achieve this, we can leverage the Pre_ID_Unification_Handler. This handler allows us to manipulate the raw data collected from Active Directory before the unification process takes place. By incorporating logic within this handler, we can effectively set the termination status based on the comparison between the accountExpires value and the current date. This ensures that the identity management system appropriately identifies and marks accounts as terminated in accordance with the specified criteria.
- Login to console as System Administrator
- Navigate to Unification Config and click on Pre Process Script
- Update to add the following SQL block below the comment "Custom Code Goes Here". Here, we are setting the terminated flag based on the custom date attribute that contains the accountExpires value from Active Directory IDC.
UPDATE
T_RAW_USER
SET
IS_TERMINATED = 1
WHERE
CUS_ATTR_USER_CAD_1 <= SYSDATE
and run_id =(
select
MAX(v_run_id)
from
t_raw_user
where
idc_id = <<YOUR_IDC_ID>>
);
- Click Validate to check for syntactical errors.
- Click Save
Generate User Name
In scenarios where G&L is tasked with onboarding user accounts across multiple systems, the need for generating a unique user ID becomes crucial. While straightforward cases can be addressed through Naming Policies, more intricate situations may demand customized solutions.
To tackle these complexities, we can employ the Post_ID_Unification_Handler. This handler allows us to manipulate the unified data after the unification process has taken place. By incorporating custom logic within this handler, we can address the nuanced requirements of generating unique user IDs, ensuring that the system adapts to diverse scenarios during the onboarding process. This approach provides a flexible and tailored solution for managing user account onboarding in a variety of system environments.
- Login to console as System Administrator
- Navigate to Unification Config and click on Post Process Script
- Update to add the following SQL block below the comment "Custom Code Goes Here". Here we are setting the generated sAMAccountName name in the custom user attribute post unification.
FOR NewUser IN (
SELECT
userID,
sAMAccountName
FROM
(
SELECT
USER_ID as userID,
UPPER(
SUBSTR(U.FIRST_NAME, 1, 1) || SUBSTR(U.LAST_NAME, 1, 5)
) AS sAMAccountName
FROM
T_MASTER_ENTERPRISE_USERS U
WHERE
/* sAMAccountName */
U.CUS_ATTR_USER_CAS_3 IS NULL
AND U.UNIQUE_ID IS NULL
AND U.USER_ID <> 'AveksaAdmin'
AND TO_DATE(U.CREATION_DATE, 'DD-MON-YY') = TO_DATE(SYSDATE, 'DD-MON-YY')
AND U.DELETION_DATE IS NULL
)
) LOOP
/* Update the custom user attribute sAMAccountName that holds generated sAMAccountName */
UPDATE
T_MASTER_ENTERPRISE_USERS U
SET
U.CUS_ATTR_USER_CAS_3 = NewUser.sAMAccountName
WHERE
U.USER_ID = NewUser.userID;
END LOOP;
- Click Validate to check for syntactical errors.
- Click Save