Data Rules Reference to Customize and Transform Identity and Account Attributes

You can add rules to customize or transform identity and account attributes. These rules are written in JavaScript.

Objects

Attribute values for an outbound data transformation can be derived from the following objects:

Table - Objects (Outbound)

Object Name	Purpose	Example
requestAttributes	Provisioning request Attribute Object. These attributes are available when provisioning is via policy based, access bundle request, role based, or direct methods.	`requestAttributes.get('name')`
user	User Object. Use required getter on this to access any member.	`user.getName().getGivenName(), user.getUserName()`
application	Resource Object. Use required getter on this to access any member.	`application.getDisplayName()`

Attribute value for an inbound data transformation can be derived from the following objects:

Table - Objects (Inbound)

Object Name	Purpose	Example
user	User Object. Use required getter on this to access any member for Source of Identity.	`user.getName().getGivenName(), user.getUserName()`
account	Account Object. Use required getter on this to access any member for Manage Permissions.	`account.getDisplayName()`

Best Practices to Transform or Customize Identity and Account Attributes

Here are a few best practices and recommendations to consider:

You can transform or customize identity and account attributes for Inbound data ingested from Authoritative Sources or Managed Systems. However, you can only transform identity (user) attributes for Outbound Data.
Always perform a NULL check in rules for extracted values before using them otherwise it can lead to ingestion cycle failures on NULL references. This has to be done for both, user attributes object in Authoritative Sources and account attributes object in Managed Systems for inbound transformations.
You cannot directly transform or assign value to attributes having array object data type, i.e. attributes returning a list of values, such as emails, photos, and addresses, but you can use them to modify/manipulate other user or account attributes. For example, to set the country value as the default value for the attribute location if a location is null, use:
```
user.getLocation() !=null  ? user.getLocation() : user.getAddresses()[0].getCountry()
    
```

Related Topics

Exploring Identity Orchestration Components

Authoritative Source Identity Object Attributes for Outbound Transformation

You can modify or alter the outbound data by applying data transformation rules to the data available or provisioned into the Orchestrated system. Here's a list of identity (user) attributes available for use in outbound data transformations.

Syntax to Fetch Identity Attributes for Outbound Data

These details can be fetched using the syntax:

get<FieldName>()

Example - Retrieve the user's given name

user.getName().getGivenName()

Table - Identity (User) Object Attributes for Outbound Data

Attribute	Sub Attribute	Data Type	Syntax
name		Reference	`user.getName()`
	formatted	String	`user.getName().getFormatted()`
	familyName	String	`user.getName().getFamilyName()`
	givenName	String	`user.getName().getGivenName()`
	middleName	String	`user.getName().getMiddleName()`
	honorificPrefix	String	`user.getName().getHonorificPrefix()`
	honorificSuffix	String	`user.getName().getHonorificSuffix()`
userName		String	`user.getUserName()`
displayName		String	`user.getDisplayName()`
description		String	`user.getDescription()`
primaryEmail		String	`user.getPrimaryEmail()`
userType		String	`user.getUserType()`
title		String	`user.getTitle()`
employeeNumber		String	`user.getEmployeeNumber()`
organization		Reference	`user.getOrganization()`
	value	String	`user.getOrganization().getValue()`
	ref	String	`user.getOrganization().getRef()`
	displayName	String	`user.getOrganization().getDisplayName()`
	resourceType	String	`user.getOrganization().getResourceType()`
department		String	`user.getDepartment()`
manager		Reference	`user.getManager()`
	value	String	`user.getManager().getValue()`
	ref	String	`user.getManager().getRef()`
	displayName	String	`user.getManager().getDisplayName()`
	resourceType	String	`user.getManager().getResourceType()`
status		String	`user.getStatus()`
jobCode		String	`user.getJobCode()`
state		String	`user.getState()`
risk		String	`user.getRisk()`
location		String	`user.getLocation()`
emails		List of Email	`emails = user.getEmails() email = user.getEmails() != null ? user.getEmails().get(0) : null`
	pendingVerificationData	String	`email.getPendingVerificationData()`
	primary	Boolean	`email.getPrimary()`
	secondary	Boolean	`email.getSecondary()`
	type	String	`email.getType()`
	value	String	`email.getValue()`
	verified	Boolean	`email.getVerified()`
addresses		List of Address	`addresses = user.getAddresses(); address = user.getAddresses() != null? user.getAddresses().get(0) : null`
	country	String	`address.getCountry()`
	formatted	String	`address.getFormatted()`
	locality	String	`address.getLocality()`
	postalCode	String	`address.getPostalCode()`
	primary	Boolean	`address.isPrimary()`
	region	String	`address.getRegion()`
	streetAddress	String	`address.getStreetAddress()`
	type	String	`address.getType()`
phoneNumbers		List of PhoneNumber	`phoneNumbers = user.getPhoneNumbers(); phoneNumber = user.getPhoneNumbers() != null? user.getPhoneNumbers().get(0) : null;`
	display	String	`phoneNumber.getDisplay()`
	primary	Boolean	`phoneNumber.isPrimary()`
	type	String	`phoneNumber.getType()`
	value	String	`phoneNumber.getValue()`
		Boolean	`phoneNumber.isVerified()`

Authoritative Source Identity Object Attributes for Inbound Transformation and Identity Attributes Customization

You can modify or alter the incoming data by applying data transformation rules during the data ingestion phase into the Orchestrated system. You can use the same set of attributes to customize composite identity profile constructed in Oracle Access Governance by transforming identity attributes.

Syntax to Fetch Identity Attributes for Inbound Data

The attribute details can be fetched using the syntax:

get<FieldName>()

Example - Retrieve the user's given name

user.getName().getGivenName()

Table - Authoritative Source Identity Attributes for Inbound Data

Attribute	Sub Attribute	Data Type	Syntax
fullName (for OIG/ICF)		Reference	`user.getFullName()`
	formatted	String	`user.getFullName().getFormatted()`
	familyName	String	`user.getFullName().getFamilyName()`
	givenName	String	`user.getFullName().getGivenName()`
	middleName	String	`user.getFullName().getMiddleName()`
	honorificPrefix	String	`user.getFullName().getHonorificPrefix()`
	honorificSuffix	String	`user.getFullName().getHonorificSuffix()`
name (for OCI)		Reference	`user.getName()`
	formatted	String	`user.getName().getFormatted()`
	familyName	String	`user.getName().getFamilyName()`
	givenName	String	`user.getName().getGivenName()`
	middleName	String	`user.getName().getMiddleName()`
	honorificPrefix	String	`user.getName().getHonorificPrefix()`
	honorificSuffix	String	`user.getName().getHonorificSuffix()`
userName		String	`user.getUserName()`
displayName		String	`user.getDisplayName()`
description		String	`user.getDescription()`
primaryEmail		String	`user.getPrimaryEmail()`
userType		String	`user.getUserType()`
title		String	`user.getTitle()`
employeeNumber		String	`user.getEmployeeNumber()`
organization		Reference	`user.getOrganization()`
	value	String	`user.getOrganization().getValue()`
	ref	String	`user.getOrganization().getRef()`
	displayName	String	`user.getOrganization().getDisplayName()`
	resourceType	String	`user.getOrganization().getResourceType()`
department		String	`user.getDepartment()`
manager		Reference	`user.getManager()`
	value	String	`user.getManager().getValue()`
	ref	String	`user.getManager().getRef()`
	displayName	String	`user.getManager().getDisplayName()`
	resourceType	String	`user.getManager().getResourceType()`
status		String	`user.getStatus()`
jobCode		String	`user.getJobCode()`
state		String	`user.getState()`
risk		String	`user.getRisk()`
location		String	`user.getLocation()`
compartmentId		String	`user.getCompartmentId()`
domainId		String	`user.getDomainId()`
domainOCID		String	`user.getDomainOCID()`
region		String	`user.getRegion()`
emails		List of Email	`emails = user.getEmails()`
	pendingVerificationData	String	`user.getEmails()[0].getPendingVerificationData()`
	primary	Boolean	`user.getEmails()[0].getPrimary()`
	secondary	Boolean	`user.getEmails()[0].getSecondary()`
	type	String	`user.getEmails()[0].getType()`
	value	String	`user.getEmails()[0].getValue()`
	verified	Boolean	`user.getEmails()[0].getVerified()`
addresses		List of Address	`addresses = user.getAddresses();`
	country	String	`user.getAddresses()[0].getCountry()`
	formatted	String	`user.getAddresses()[0].getFormatted()`
	locality	String	`user.getAddresses()[0].getLocality()`
	postalCode	String	`user.getAddresses()[0].getPostalCode()`
	primary	Boolean	`user.getAddresses()[0].isPrimary()`
	region	String	`user.getAddresses()[0].getRegion()`
	streetAddress	String	`user.getAddresses()[0].getStreetAddress()`
	type	String	`user.getAddresses()[0].getType()`
phoneNumbers		List of PhoneNumber	`phoneNumbers = user.getPhoneNumbers();`
	display	String	`user.getPhoneNumbers()[0].getDisplay()`
	primary	Boolean	`user.getPhoneNumbers()[0].isPrimary()`
	type	String	`user.getPhoneNumbers()[0].getType()`
	value	String	`user.getPhoneNumbers()[0].getValue()`
		Boolean	`user.getPhoneNumbers()[0].isVerified()`
photos		List of photos	`photos = user.getPhotos();`
	display	String	`user.getPhotos()[0].getDisplay()`
	primary	Boolean	`user.getPhotos()[0].isPrimary()`
	type	String	`user.getPhotos()[0].getType()`
	value	String	`user.getPhotos()[0].getValue()`
ims		List of ims	`ims = user.getIms();`
	display	String	`user.getIms()[0].getDisplay()`
	primary	Boolean	`user.getIms()[0].isPrimary()`
	type	String	`user.getIms()[0].getType()`
	value	String	`user.getIms()[0].getValue()`

Managed Systems Account Object Attributes for Inbound Transformation

You can modify or alter the incoming account attribute data by applying data transformation rules during the data ingestion phase into the Orchestrated system.

Syntax to Fetch Account Attributes for Inbound Data Transformation

The attribute details can be fetched using the syntax:

get<FieldName>()

Example - Retrieve the user's given name

account.getName().getGivenName()

Table - Managed Systems Account Attributes for the Inbound Data Transformation

Attribute	Sub Attribute	Data Type	Syntax
fullName		Reference	`account.getFullName()`
	formatted	String	`account.getFullName().getFormatted()`
	familyName	String	`account.getFullName().getFamilyName()`
	givenName	String	`account.getFullName().getGivenName()`
	middleName	String	`account.getFullName().getMiddleName()`
	honorificPrefix	String	`account.getFullName().getHonorificPrefix()`
	honorificSuffix	String	`account.getFullName().getHonorificSuffix()`
userName		String	`account.getUserName()`
displayName		String	`account.getDisplayName()`
description		String	`account.getDescription()`
primaryEmail		String	`account.getPrimaryEmail()`
userType		String	`account.getUserType()`
title		String	`account.getTitle()`
status		String	`account.getStatus()`
accountType		String	`account.getAccountType()`
provisionedByMechanism		String	`account.getProvisionedByMechanism()`
provisionedOnDate		String	`account.getProvisionedOnDate()`
resourceName		String	`account.getResourceName()`
startDate		Long	`account.getStartDate()`
name		String	`account.getName()`
userLogin		String	`account.getUserLogin()`
resourcesId		String	`account.getResourcesId()`
compartmentId		String	`account.getCompartmentId()`
domainId		String	`account.getDomainId()`
domainOCID		String	`account.getDomainOCID()`
region		String	`account.getRegion()`
emails		List of Email	`emails = account.getEmails()`
	pendingVerificationData	String	`account.getEmails()[0].getPendingVerificationData()`
	primary	Boolean	`account.getEmails()[0].getPrimary()`
	secondary	Boolean	`account.getEmails()[0].getSecondary()`
	type	String	`account.getEmails()[0].getType()`
	value	String	`account.getEmails()[0].getValue()`
	verified	Boolean	`account.getEmails()[0].getVerified()`
addresses		List of Address	`addresses = account.getAddresses();`
	country	String	`account.getAddresses()[0].getCountry()`
	formatted	String	`account.getAddresses()[0].getFormatted()`
	locality	String	`account.getAddresses()[0].getLocality()`
	postalCode	String	`account.getAddresses()[0].getPostalCode()`
	primary	Boolean	`account.getAddresses()[0].isPrimary()`
	region	String	`account.getAddresses()[0].getRegion()`
	streetAddress	String	`account.getAddresses()[0].getStreetAddress()`
	type	String	`account.getAddresses()[0].getType()`
phoneNumbers		List of PhoneNumber	`phoneNumbers = account.getPhoneNumbers()`
	display	String	`account.getPhoneNumbers()[0].getDisplay()`
	primary	Boolean	`account.getPhoneNumbers()[0].isPrimary()`
	type	String	`account.getPhoneNumbers()[0].getType()`
	value	String	`account.getPhoneNumbers()[0].getValue()`
		Boolean	`account.getPhoneNumbers()[0].isVerified()`
photos		List of photos	`photos = account.getPhotos()`
	display	String	`account.getPhotos()[0].getDisplay()`
	primary	Boolean	`account.getPhotos()[0].isPrimary()`
	type	String	`account.getPhotos()[0].getType()`
	value	String	`account.getPhotos()[0].getValue()`
ims		List of ims	`ims = account.getIms()`
	display	String	`account.getIms()[0].getDisplay()`
	primary	Boolean	`account.getIms()[0].isPrimary()`
	type	String	`account.getIms()[0].getType()`
	value	String	`account.getIms()[0].getValue()`

Custom User and Account Attributes

You can fetch and use custom user or account attributes while applying data transformation rules for inbound data transformations. Outbound data transformations allow for fetching custom user attributes only.

User Custom Attribute

Oracle Access Governance provides a utility method to fetch the custom attribute of a user for inbound or outbound transformations. To fetch the CUSTOM_ATTRIBUTE_NAME of a user, you would use the following syntax, for example:

if( user.getCustomAttributes() != null ) {user.getCustomAttributes()['CUSTOM_ATTRIBUTE_NAME'] }

For example, for a custom attribute called Tags:

if( user.getCustomAttributes() != null ) {user.getCustomAttributes()['Tags'] }

Account Custom Attribute

Oracle Access Governance provides a utility method to fetch the custom attribute of an account for inbound transformations only. To fetch the CUSTOM_ATTRIBUTE_NAME of an account, you would use the following syntax, for example:

if(account.getCustomAttributes() != null) {account.getCustomAttributes()['CUSTOM_ATTRIBUTE_NAME'] }

For example, for a custom attribute called Tags:

if(account.getCustomAttributes() != null) {account.getCustomAttributes()['Tags'] }

Examples for Outbound Data Transformation

Here are a few sample mapping rules and uses cases while applying outbound data transformations in Oracle Access Governance.

Table - Sample Mapping Rules

Usecase	Sample Rule
Fixed string value	`'SampleValue'`
Get user	Allows you to get the user keyed on the global identity id. This utility returns the user object from which you can then obtain other attributes. `transformationUtil.getUser(agcs_tenant_id, 'global_identity_id')` For example: `let user = transformationUtil.getUser(agcs_tenant_id, 'global_identity_id'); if(user != null ) { let username = user.getUserName(); }`
User attribute	`user.getName().getGivenName()` Note: You must perform a null check before using such operations as the value can be null.
Date attribute	`new Date().getTime();` For example, to set the date to 31st Jan 2024: `new Date(2024,00,31).getTime();`
Application attribute	`application.getDisplayName()` Note: You must perform a null check before using such operations as the value can be null.
Request attribute	`requestAttributes.get('organizationName').get(0)` Note: You must perform a null check before using such operations as the value can be null. The 'requestAttributes.get(attrName)' always returns an array, so we need to do a get(i) to fetch the specific value
Set value to the combination of 2 user attributes	`user.getName().getGivenName() + ' ' + user.getName().getFamilyName()` or: `[ user.getName().getGivenName(),user.getName().getMiddleName() , user.getName().getFamilyName()].join(' ')`
Set the value to another attribute if the input value is null (if organization is null then set to a fixed value)	`user.getOrganization() != null && user.getOrganization().getDisplayName() != null ? user.getOrganization().getDisplayName() : 'DefaultOrganization'`
Get code and decode value of a target lookup	`transformationUtil.getLookupCode(agcs_tenant_id, agcs_target_id, 'countries', user.getAddresses().get(0).getCountry())` `transformationUtil.getLookupDecode(agcs_tenant_id, agcs_target_id, 'countries', user.getAddresses().get(0).getCountry())`
Get code and decode value of a global lookup	`transformationUtil.getGlobalLookupCode(agcs_tenant_id, 'countries', user.getAddresses().get(0).getCountry())` `transformationUtil.getGlobalLookupDecode(agcs_tenant_id, 'countries', user.getAddresses().get(0).getCountry())`
Check if the User has Direct Reportee(s)	Check if the user has any direct reportees. This utility returns `TRUE` if the user has one or more reportees, otherwise it returns `FALSE`. For example: `transformationUtil.hasDirectReportees(agcs_tenant_id,'global_identity_id')` .

Examples for Inbound Data Transformation and Identity Attributes

Here are a few sample mapping rules and uses cases while applying inbound data transformations or applying transformations on the composite identity profile in Oracle Access Governance.

Note:

As a best practice, we recommend to always perform a NULL check in rules for extracted values before using them otherwise it can lead to ingestion cycle failures on NULL references. This has to be done for both, user attributes object in Authoritative Sources and account attributes object in Managed Systems for inbound transformations.

Sample Mapping Rules for Authoritative Sources

Here are a few mapping rule expressions along with input value or output value for the identity (user) object attributes.

Target attribute	Type of attribute	Target attribute data type	Aim of mapping rule	Mapping rule expression	Value input	Value output
userName	DEFAULTS	String	Concatenate userName & displayName and set this value in userName attribute	`user.getUserName().concat('-',user.getDisplayName())`	userName=mark.hill displayName=Mark Hill	mark.hill-Mark Hill
userName	DEFAULTS	String	If userName is not null, then convert userName to upperCase and set in userName attribute	`if(user.getUserName()!=null) {user.getUserName().toUpperCase() }`	userName=mark.hill	MARK.HILL
jobDescription	CUSTOM	String	LowerCase the value of description and set it in custom attribute, jobDescription	`user.getDescription().toLowerCase()`	description = SoftwareDeveloper1	jobDescription = softwaredeveloper1
status	DEFAULTS	Boolean	If status is null set it to true else alternate the value.	`user.getStatus()==null ? true : !user.getStatus()`	status = true	false
risk	DEFAULTS	Integer	If risk is null set 20, else increase risk by 15	`user.getRisk() == null ? 20 : user.getRisk() + 15`	risk = 30 risk = null	45 20
description	DEFAULTS	String	Get startDate of type long, convert it into Date and then set it as a String to the description attribute.	`new Date(user.getStartDate()).toISOString()`	startDate = 1703442600000	2023-12-25T07:55:46.061Z
provisionedOnDate	DEFAULTS	Date	Get validFromDate (long), convert to date, then set provisionedOnDate rounded to 1st of next month.	`const currentDate = new Date(user.getValidFromDate()); new Date(currentDate.getFullYear(), currentDate.getMonth() + 1, 1).getTime();`	validFromDate = 1703442600000	provisionedOnDate = 1704047400000
provisionedFromDate	DEFAULTS	Date	Input type string. Output type date.	new Date(user.getValidFromDate()).toISOString()	validFromDate = 1703442600000 input = 2023-12-24T18:30:00.000Z	provisionedFromDate = 1703422800000

Sample Mapping Rules for Managed Systems

Here are a few mapping rule expressions along with input value or output value for the account object attributes.

Table - Sample Mapping Rules for Managing Permissions

Target attribute	Type of attribute	Target attribute data type	Aim of mapping rule	Mapping rule expression	Value input	Value output
displayName	DEFAULTS	String	If displayName is not null then set upper case value to displayName.	`if(account.getDisplayName()!=null) {account.getDisplayName().toUpperCase() }`	displayName = Mark Hill	MARK HILL
primaryEmail	DEFAULTS	String	Concatenate userLogin & "@myexample.com" and set in primaryEmail.	`account.getUserLogin().concat('@myexample.com')`	userLogin = mark.hill	mark.hill@myexample.com
jobDescription	CUSTOM	String	LowerCase the value of description and set it in custom attributes jobDescription.	`if(account.getDescription()!=null) { account.getDescription().toLowerCase() }`	description = SoftwareDeveloper1	jobDescription = softwaredeveloper1
status	DEFAULTS	Boolean	Example 1: If status is null then set it to true else alternate the value.	`account.getStatus()==null ? true : !account.getStatus()`	status = true	false
			Example 2: Set status to false.	`false`	status = null/true/false	false
risk	DEFAULTS	Integer	If risk is null then set to 20, else increase risk by 15.	`account.getRisk() == null ? 20 : account.getRisk() + 15`	risk = 30 risk = null	45 20
riskSummary	DEFAULTS	Long	If riskSummary is null set to 1234, else increase risk by 70.	`account.getRiskSummary() == null ? 1234 : account.getRiskSummary() + 70`	riskSummary = 30 riskSummary = null	100 1234

Title and Copyright Information

Oracle and/or its affiliates.

Documentation Accessibility

For information about Oracle's commitment to accessibility, visit the Oracle Accessibility Program website at http://www.oracle.com/pls/topic/lookup?ctx=acc&id=docacc.

Access to Oracle Support

Oracle customers that have purchased support have access to electronic support through My Oracle Support. For information, visit http://www.oracle.com/pls/topic/lookup?ctx=acc&id=info or visit http://www.oracle.com/pls/topic/lookup?ctx=acc&id=trs if you are hearing impaired.