This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SecurID® Governance & Lifecycle Blog

Subscribe to the official SecurID Governance & Lifecycle community blog for information about new product features, industry insights, best practices, and more.

Data Processors : Manipulating Account Data

PradeepKadambar
Moderator Moderator
Moderator
2 0 338
‎2022-03-10 10:10 AM

In this blog, I will go over how we can effectively use data processors during account collections to solve some common use cases. 

If you are unfamiliar with data processors, I suggest you read the Data Processors : Basics before proceeding.

 
The code provided in this blog is for illustration purposes only

 

Example : Manipulate account resolution attribute 

I am collecting admin accounts for users from Active Directory ADC, and these accounts are being collected as orphans. The sAMAccountName for admin accounts are in the format 'x' prefixed to the regular user's sAMAccountName. We want these accounts to be mapped to user identities.

We can solve this by using the Pre_ADC_Handler, to manipulate the raw data collected from the application and convert the data to desired format.

  1. Login to console as System Administrator
  2. Navigate to Collectors > Account Collectors and click on the account collector for the application.
  3. Click Edit.
  4. Select the Pre Custom Processing
  5. Click Next a few times till you get to the "Pre-Processing Custom Script Details" screen.
  6. Update to add the following SQL block below the comment "Custom Code Goes Here". Here we are stripping the prefixed x from the Active Directory sAMAccountName to calculate the sAMAccountName of the user's regular Active Directory username so that it can be mapped to the user identity. We are assuming that the sAMAccountName is stored in the user identity for mapping purposes.
    FOR AllAccounts IN (
  SELECT 
    LTRIM(amap.account_name, 'x') as name 
  FROM 
    T_DC_SOURCEDATA_ACCOUNT_MAP amap 
    INNER JOIN T_DATA_COLLECTORS coll ON amap.dc_id = coll.id 
  WHERE 
    coll.id = v_dc_id  
    and amap.run_id = v_run_id  
) LOOP 
UPDATE 
  T_DC_SOURCEDATA_ACCOUNT_MAP AMAP 
SET 
  AMAP.USER_NAME = AllAccounts.name 
WHERE 
  AMAP.account_name = AllAccounts.name COMMIT;
END LOOP;
  7. Click Validate to check for syntactical errors.
  8. Click Finish

Example : Convert account status format

I have an application (non database type) that return the user's account active status as true or false. However, I need to convert this to Account Disabled flag, which takes a 1 and 0.

We can solve this by using the Post_Account_Data_Load_Handler, to manipulate the data collected from the application and convert the data to desired format.

  1. Login to console as System Administrator
  2. Navigate to Collectors > Account Collectors and click on the account collector for the application.
  3. Click Edit.
  4. Select the Post Custom Processing
  5. Click Next a few times till you get to the "Post-Processing Custom Script Details" screen.
  6. Update to add the following SQL block below the comment "Custom Code Goes Here". Here we are setting the account disabled flag by inverting the active status flag.
    FOR DisabledAccounts IN (
  SELECT 
    account.name, 
    CASE account.cas20 WHEN 'true' THEN '0' ELSE '1' END as isDisabled 
  FROM 
    T_AV_ACCOUNTS account 
    INNER JOIN T_DATA_COLLECTORS collector ON account.adc_id = collector.id 
  WHERE 
    collector.id= v_dc_id
) LOOP 
UPDATE 
  T_AV_ACCOUNTS A 
SET 
  A.IS_DISABLED = DisabledAccounts.isDisabled 
WHERE 
  A.name = DisabledAccounts.name;
COMMIT;
END LOOP;
  7. Click Validate to check for syntactical errors.
  8. Click Finish
Labels
© 2023 RSA Security LLC or its affiliates. All rights reserved.