Using idm.query to create e-mail for new users

Troubleshooting
,
1

Hello everyone!
I’m new to ForgeRock products and I’m currently studying ForgeRock IDM, using the 7.5.0 version. I’m trying to make a function to create the workforce e-mail to new users, my idea is to use the openidm.query in the Attribute Mapping of the HR Connector and verify if the e-mail was already used, if so it must go to the next rule of creation. However, it shows in the log the following error:

Caused by: org.forgerock.openidm.script.ScriptThrownException: [object Object] {code=403, detail={result=false, failedPolicyRequirements=[{policyRequirements=[{params={invalidType=null, validTypes=[string]}, policyRequirement=VALID_TYPE}], property=mail}]}, message=Policy validation failed}

The script I’m working on is currently as:

const emailDomain = "@xpto.com";
const userFullName = source.fullname;
const userFullNameNormalized = userFullName
  .toString()
  .toLowerCase()
  .normalize("NFD")
  .replace(/[^a-zA-Z\s]/g, "");

const userFullNameSplitted = userFullNameNormalized.split(" ");
const userFullNamePrePop = userFullNameSplitted.slice();
const userFullNameAfterPop = userFullNamePrePop.pop();

const firstName = userFullNameSplitted[0];
const secondName = userFullNameSplitted[1];
const lastName = userFullNameAfterPop;

// Email Options
const firstEmail = firstName + "." + lastName + emailDomain;
const secondEmail = firstName + "." + secondName + emailDomain;
const thirdEmail = firstName[0] + "." + lastName + emailDomain;
const fourthEmail = firstName[0] + secondName[0] + "." + lastName + emailDomain;
const fifthEmail = lastName + firstName[0] + lastName[0] + emailDomain;

// Queries
var queryFirstEmailParams = { _queryFilter: '/mail eq "' + firstEmail + '"' };
var queryFirstEmailResult = openidm.query(
  "/managed/user",
  queryFirstEmailParams,
  ["*"]
);

if (queryFirstEmailResult.resultCount === 0) {
  mail = firstEmail;
} else {
  mail = secondEmail;
}

I believe the issue is around how the email options are being assigned to the mail, but I’m still learning on this product.

Any tips on how to troubleshoot it or on what I’m doing wrong?

Thank you.

2

So the error you are receiving looks like a policy evaluation error, specifically it looks like you are attempting to provide a null value for the mail property, presumably when creating the object for the HR Connector (what connector is this? That may become a relevant part of troubleshooting here).

The script you shared only has a couple of issues that stand out to me:

  1. The resource name (first argument in openidm.query should be "managed/user" (notice the absence of a leading slash)
  2. Not sure how much of an impact it would have, but I typically see _queryFilter enclosed in quotes, like { '_queryFilter': '/mail eq "' + firstEmail + '"' };

I don’t think either of those are causing the issue you are seeing though, as neither (as far as I can tell) should result in the policy validation error you are seeing. Can you share how you have the attribute mapping defined? The error message is telling me that either through logic in the script or through your attribute mapping, you are ending up with a null value for mail when the connector configuration wants a string.

One test you may want to do (if you haven’t already) is to execute the query you’ve got here via the REST API, using Postman or curl. I’d log out the actual value of queryFirstEmailParams and use that as a query on the managed/user object to see what sort of response you get.

1 Like
3

@mwtech, thank you for your collaboration.

With the topics you brought I was able to make the mapping for the mail, the problem was the extra slash in /managed/user, with managed/user worked as intended.

I tested if had any impacts using the _queryFilter enclosed in quotes but I didn’t see any impacts without them, but I will let this on my radar for the future.

The connector is a Database Table Connector, it’s being used to integrate the PostgreSQL database in the HR application I developed for testing IDM solutions. The attribute mapping is defined in a Transformation Script in the Target mail attribute, all of it in the Tab Properties → Attributes Grid. In the screenshot below will probably be easier to understand:

image
image945×857 66 KB

Thanks for helping me out! :grinning:

1 Like