RSA Governance & Lifecycle Data Processors: Manipulating Identities
a year ago
Article Number
000073037
Resolution

In this article, I will go over how we can effectively use pre and post processors during identity collections to solve some common use cases.

If you are unfamiliar with data processors, I suggest you read the Data Processors : Basics before proceeding.

Enabling Data Processors

Data processing is an advanced feature and hence it needs to be explicitly enabled by the System Administrator. Follow the steps below to enable this feature:

  1. Login to console as System Administrator
  2. Navigate to Admin > System.
  3. Click on Edit
  4. Under Custom, add enableCustomPostProcessingScript with value true
  5. Click Save
  6. Click OK.
 
While adding data processors are supported, the extension code (logic) for custom data processing is not supported by RSA unless covered by custom code support (CAS).
 
The code provided in this article is for illustration purposes only.

 

Example : Set termination status based on Active Directory accountExpires value

In this use case, we will collect user identities from Active Directory. Among other attributes, we collect accountExpires attribute that defines when an account expires in Active Directory. Once the identity is collected in G&L, we should mark the identity as terminated if accountExpires is >= current date.

We can solve this by using the Pre_ID_Unification_Handler, to manipulate the raw data collected from Active Directory before the unification can kick in.

  1. Login to console as System Administrator
  2. Navigate to Unification Config and click on Pre Process Script
  3. Update to add the following SQL block below the comment "Custom Code Goes Here". Here, we are setting the terminated flag based on the custom date attribute that contains the accountExpires value from Active Directory IDC. 
    
     UPDATE T_RAW_USER SET IS_TERMINATED = 1 WHERE CUS_ATTR_USER_CAD_1 <= SYSDATE and run_id =( select MAX(v_run_id) from t_raw_user where idc_id = <<YOUR_IDC_ID>> );​
  4. Click Validate to check for syntactical errors.
  5. Click Save

Example : Generate username

In situations where G&L used to onboard user accounts in multiple systems, it is essential to generate a unique user ID. While simple use cases can be handled via Naming Policies, other complex situations requires custom solutions.

We can solve this by using the Post_ID_Unification_Handler, to manipulate the unified data post unification.

  1. Login to console as System Administrator
  2. Navigate to Unification Config and click on Post Process Script
  3. Update to add the following SQL block below the comment "Custom Code Goes Here". Here we are setting the generated sAMAccountName name in the custom user attribute post unification. 
    
     FOR NewUser IN ( SELECT userID, sAMAccountName FROM ( SELECT USER_ID as userID, UPPER( SUBSTR(U.FIRST_NAME, 1, 1) || SUBSTR(U.LAST_NAME, 1, 5) ) AS sAMAccountName FROM T_MASTER_ENTERPRISE_USERS U WHERE /* sAMAccountName */ U.CUS_ATTR_USER_CAS_3 IS NULL AND U.UNIQUE_ID IS NULL AND U.USER_ID <> 'AveksaAdmin' AND TO_DATE(U.CREATION_DATE, 'DD-MON-YY') = TO_DATE(SYSDATE, 'DD-MON-YY') AND U.DELETION_DATE IS NULL ) ) LOOP /* Update the custom user attribute sAMAccountName that holds generated sAMAccountName */ UPDATE T_MASTER_ENTERPRISE_USERS U SET U.CUS_ATTR_USER_CAS_3 = NewUser.sAMAccountName WHERE U.USER_ID = NewUser.userID; COMMIT; END LOOP;
  4. Click Validate to check for syntactical errors.
  5. Click Save

Related Articles

Trending Articles

Don't see what you're looking for?