Transforming attributes in CzechIdM 7

You installed CzechIdM and then connected systems to it. You prepared provisioning and synchronization definitions with attributes mapping. Well done, now you can automatically distribute information about identities, roles and other object between connected systems. But what to do, if there is some attribute value transformation required? You will find you in the following text.

Usual transformation cases

Provided you have MS Active Directory connected to CzechIdM as managed system. These attributes for example might be subject of transformation:

  • DN – closely correspond to employee working position or locality. Typically consists of several concatenated attributes with their transformation into DN format,
  • cn – usually concatenation of firstName and lastName and/or personal number. May also include titleBefore or titleAfter
  • displayName – dtto cn
  • description – almost anything
  • userPrincipalName – usually of form: login + domain

Transformation scripts

So you know what you want to fill and how. All you need to do now is to use proper transformation script.

Scripts definition agenda

Most convenient way is to use some standard script. Their definition can be accessed via GUI as you can seen in the following picture.

If you already know, what script you want to use, choose the script right in the attribute mapping detail in the box for transformation script.

Write your own script

If you cannot find the right script, you can simply write your own. Use the script definition agenda, define the script and its privilege (what services or in general resources can script use), its purpose (standard, transformation from etc…) and use it  in transformation box as you can see in the following pictures.

Quick test mode

Other option is to copy the script body into attribute mapping itself. Every mapping has boxes for the script to and From CzechIdM.

This is the quickest way of using the script, but has some obvious limitations like that the transformation is immediately applicable after save.   So we advise use this approach in test environment only.

We started with attributes examples so it would be nice to show the script definition for some. Here you are:

entity.firstName + " " + entity.lastName

Use it to fill displayName attribute in MS AD. Simple isn’t it?

Script as a file

In fact, all default scripts that are available in GUI after CzechIdM installation, were loaded into application during its previous start. They meet XML format and file incorporates the script body (groovy), script privileges and its purpose. So if you want to track changes on your scripts e.g. with git, this is the best way.

Read more

More information about transformation scripts you can find in administrator’s guide. If you have any questions or comment feel free to comment on redmine, github or email me on marcel.poul@bcvsolutions.eu. Also join our google group to keep in touch with CzechIdM news.

Leave a Reply