SecurID® Governance & Lifecycle Blog

Subscribe to the official SecurID Governance & Lifecycle community blog for information about new product features, industry insights, best practices, and more.

Data Processors : Manipulating Account Data

PradeepKadambar
Moderator Moderator
Moderator
2 0 255

In this blog, I will go over how we can effectively use data processors during account collections to solve some common use cases. 

If you are unfamiliar with data processors, I suggest you read the Data Processors : Basics before proceeding.

 

Example : Manipulate account resolution attribute 

I am collecting admin accounts for users from Active Directory ADC, and these accounts are being collected as orphans. The sAMAccountName for admin accounts are in the format 'x' prefixed to the regular user's sAMAccountName. We want these accounts to be mapped to user identities.

We can solve this by using the Pre_ADC_Handler, to manipulate the raw data collected from the application and convert the data to desired format.

  1. Login to console as System Administrator
  2. Navigate to Collectors > Account Collectors and click on the account collector for the application.
  3. Click Edit.
  4. Select the Pre Custom Processing
  5. Click Next a few times till you get to the "Pre-Processing Custom Script Details" screen.
  6. Update to add the following SQL block below the comment "Custom Code Goes Here". Here we are stripping the prefixed x from the Active Directory sAMAccountName to calculate the sAMAccountName of the user's regular Active Directory username so that it can be mapped to the user identity. We are assuming that the sAMAccountName is stored in the user identity for mapping purposes.
    FOR AllAccounts IN (
      SELECT 
        LTRIM(amap.account_name, 'x') as name 
      FROM 
        T_DC_SOURCEDATA_ACCOUNT_MAP amap 
        INNER JOIN T_DATA_COLLECTORS coll ON amap.dc_id = coll.id 
      WHERE 
        coll.id = v_dc_id  
        and amap.run_id = v_run_id  
    ) LOOP 
    UPDATE 
      T_DC_SOURCEDATA_ACCOUNT_MAP AMAP 
    SET 
      AMAP.USER_NAME = AllAccounts.name 
    WHERE 
      AMAP.account_name = AllAccounts.name COMMIT;
    END LOOP;
    
  7. Click Validate to check for syntactical errors.
  8. Click Finish

Example : Convert account status format

I have an application (non database type) that return the user's account active status as true or false. However, I need to convert this to Account Disabled flag, which takes a 1 and 0.

We can solve this by using the Post_Account_Data_Load_Handler, to manipulate the data collected from the application and convert the data to desired format.

  1. Login to console as System Administrator
  2. Navigate to Collectors > Account Collectors and click on the account collector for the application.
  3. Click Edit.
  4. Select the Post Custom Processing
  5. Click Next a few times till you get to the "Post-Processing Custom Script Details" screen.
  6. Update to add the following SQL block below the comment "Custom Code Goes Here". Here we are setting the account disabled flag by inverting the active status flag.
    FOR DisabledAccounts IN (
      SELECT 
        account.name, 
        CASE account.cas20 WHEN 'true' THEN '0' ELSE '1' END as isDisabled 
      FROM 
        T_AV_ACCOUNTS account 
        INNER JOIN T_DATA_COLLECTORS collector ON account.adc_id = collector.id 
      WHERE 
        collector.id= v_dc_id
    ) LOOP 
    UPDATE 
      T_AV_ACCOUNTS A 
    SET 
      A.IS_DISABLED = DisabledAccounts.isDisabled 
    WHERE 
      A.name = DisabledAccounts.name;
    COMMIT;
    END LOOP;
  7. Click Validate to check for syntactical errors.
  8. Click Finish