SecurID® Governance & Lifecycle Blog

Subscribe to the official SecurID Governance & Lifecycle community blog for information about new product features, industry insights, best practices, and more.

Data Processors : Manipulating Identities

PradeepKadambar
Moderator Moderator
Moderator
2 0 336

In this blog, I will go over how we can effectively use pre and post processors during identity collections to solve some common use cases. 

If you are unfamiliar with data processors, I suggest you read the Data Processors : Basics before proceeding.

Enabling Data Processors

Data processing is an advanced feature and hence it needs to be explicitly enabled by the System Administrator. Follow the steps below to enable this feature:

  1. Login to console as System Administrator
  2. Navigate to Admin > System.
  3. Click on Edit
  4. Under Custom, add enableCustomPostProcessingScript with value true
  5. Click Save
  6. Click OK.

 

 

Example : Set termination status based on Active Directory accountExpires value

In this use case, we will collect user identities from Active Directory. Among other attributes, we collect accountExpires attribute that defines when an account expires in Active Directory. Once the identity is collected in G&L, we should mark the identity as terminated if accountExpires is >= current date.

We can solve this by using the Pre_ID_Unification_Handler, to manipulate the raw data collected from Active Directory before the unification can kick in.

  1. Login to console as System Administrator
  2. Navigate to Unification Config and click on Pre Process Script
  3. Update to add the following SQL block below the comment "Custom Code Goes Here". Here, we are setting the terminated flag based on the custom date attribute that contains the accountExpires value from Active Directory IDC.
    UPDATE 
      T_RAW_USER 
    SET 
      IS_TERMINATED = 1 
    WHERE 
      CUS_ATTR_USER_CAD_1 <= SYSDATE 
      and run_id =(
        select 
          MAX(v_run_id) 
        from 
          t_raw_user 
        where 
          idc_id = <<YOUR_IDC_ID>>
      );​
  4. Click Validate to check for syntactical errors.
  5. Click Save

Example : Generate username

In situations where G&L used to onboard user accounts in multiple systems, it is essential to generate a unique user ID. While simple use cases can be handled via Naming Policies, other complex situations requires custom solutions.

We can solve this by using the Post_ID_Unification_Handler, to manipulate the unified data post unification.

  1. Login to console as System Administrator
  2. Navigate to Unification Config and click on Post Process Script
  3. Update to add the following SQL block below the comment "Custom Code Goes Here". Here we are setting the generated sAMAccountName name in the custom user attribute post unification. 
    FOR NewUser IN (
      SELECT 
        userID, 
        sAMAccountName 
      FROM 
        (
          SELECT 
            USER_ID as userID, 
            UPPER(
              SUBSTR(U.FIRST_NAME, 1, 1) || SUBSTR(U.LAST_NAME, 1, 5) 
            ) AS sAMAccountName 
          FROM 
            T_MASTER_ENTERPRISE_USERS U 
          WHERE 
            /* sAMAccountName */
            U.CUS_ATTR_USER_CAS_3 IS NULL 
            AND U.UNIQUE_ID IS NULL 
            AND U.USER_ID <> 'AveksaAdmin' 
            AND TO_DATE(U.CREATION_DATE, 'DD-MON-YY') = TO_DATE(SYSDATE, 'DD-MON-YY') 
            AND U.DELETION_DATE IS NULL
        )
    ) LOOP 
    /* Update the custom user attribute sAMAccountName that holds generated sAMAccountName */
    UPDATE 
      T_MASTER_ENTERPRISE_USERS U 
    SET 
      U.CUS_ATTR_USER_CAS_3 = NewUser.sAMAccountName 
    WHERE 
      U.USER_ID = NewUser.userID;
    COMMIT;
    END LOOP;
  4. Click Validate to check for syntactical errors.
  5. Click Save