2 Replies Latest reply: Mar 28, 2013 1:12 PM by tk RSS

    Populating Role Lookups via ICF

    Mike U

      I'm wondering if there is a way to have more control over the way role lookups are populated via an ICF connector. I've been following the offical training labs, and running the recon results in lookup values like

      Code // Decode
      22~Administrator // ITResource~Administrator
      22~Cashier // ITResource~Cashier

      These are rather useless for my case. First of all, what on earth is that "22"? What is the point? It's added by ICF, having nothing to do with the endpoint, so now when the connector parses a role it has to strip the first part off to get the actual value that it returned in the first place.

      Second, our endpoint maps keys to roles, so 1 = Admin, 2 = Cashier, etc. To add a user to the cashier role, we must send the value "2", not "cashier". So, we can modify the recon to return these key values, which would give

      Code // Decode
      22~1 // ITResource~1
      22~2 // ITResource~2

      Still not useful, as the decode value should be a human-readable description (this is what appears in the child form in the UI). What we want to do is end up with the following:

      Code // Decode
      1 // Administrator
      2 // Cashier

      That is, get rid of the 22~ and ITResource~ and end up with an actual map so that we can send the appropriate value (1, 2) as well as display the appropriate value to the user (Admin, Cashier).

      I've toyed around with how I build my connector object to pass to the results handler, but with no luck. ICF demands an attribute named "Role" (defined in the AttrMap lookups) with a value, and setting the UID or Name of the connector object seems to have no effect.

      Can anyone shed any light on this? ICF is mostly pretty great for provisioning, but it has seriously limits your freedom in many ways.

        • 1. Re: Populating Role Lookups via ICF
          Mike U
          Ok, I figured out part of my answer.

          To achieve the key/value mapping in the lookup, the scheduled task has parameters for the code and decode attribute names. I can then build a connector object with these values. Not sure how I missed this, but since I also locked my keys in my car this morning I'm gonna guess it's just because today is not my day.

          I am still wondering if it is possible to strip out the prefixes added by OIM/ICF.
          • 2. Re: Populating Role Lookups via ICF
            Hi Mike,

            The stripping is currently not possible. The reason for having prefixes is that you might have multiple IT Resources which can reconcile the values into the same lookup. So the IT Resouce Key and IT Resource Name are used to identify the values. Unfortunatelly there is no other way to handle this now.