Transformation scrips

Provided you connected a managed system or source system to CzechIdM, you prepared synchronization or provisioning for with e.g. identity attribute mappings. Then you may have several attributes that differs in format between the source and the managed system. For example you want to fill Active Directory's attribute diplayName that is of format <firstName + LastName>. For scripts, we currently use Groovy language.

From the HR system to CzechIdM you provide firstName and lastName as separate attributes as is common. Now you want to make a transformation script to fill displayName from 2 other attributes.

1. First of all, you must have the attribute displayName defined in provisioning mapping. In the detail of the attribute mapping you do not fill the IdM Key, since the transformation from multiple attributes will be used instead
2. At the bottom of the detail page, you can see two boxes where you can write your transformation scripts. First box servers as a transformation from the system i.e. transform attribute value form the connected system to CzechIdM. That is not our case now, we want only provisioning transformation. The second box serves as a transformation from CzechIdM to connected system. There we will place to you script.

To fill the attribute from 2 entity (identity in our case) attributes, just simply use this piece of code:

entity.firstName + " " + entity.lastName

Thus you can define basic transformation scripts that does not need any additional privilege to run.

There is other convenient way of how to use transformation scripts. You can define your script in CzechIdM via menu Settings → Script definition. There you can see the list of all available scripts (not only transformation ones). If you click on Add button, you can add your own script definition to the CzechIdM script library.

If you click on Add button, you can add your own script definition to the CzechIdM script library.

Fill the following fields:

• Code - the name of the script usually used when calling from other scripts
• Name - the name visible in lists in GUI
• Category - You can choose form selectbox the category by intended use. The category has both informative and restrictive character. If you select the category of the script as "Transformation to", it will be available as a choice in the attribute mapping detail form in the Transformation to box.
• Script description - optional - visible on some forms
• Script - the definition of the script itself
• Script authorities - see the section below

In this table, you specify, what authorizations on data you give to the script. There are some basic rules, that every script has by default - e.g. get attributes and their values from entity. Other rules must be added if you want to access e.g. other entities like Roles or Organizations from the script that is used in Identities synchronization. Other common usecase is that you want to use some non basic java Classes or Methods. Again, you have to give your script specific authorization to use the Class.

The script is then available in synchronization and provisioning mapping in attribute detail.

To use it, click on the green button insert script in the right upper corner of transformation box.

Then you can see new window, where you can list available scripts

When you select the desired one, click on Select button. The script is then referred/called trom the attribute mapping transformation box in the right format

In fact, all default scripts that are available in GUI after CzechIdM installation, were loaded into application during its previous start. They meet XML format and file incorporates the script body (groovy), script privileges and its purpose. So if you want to track changes on your scripts e.g. with git, this is the best way.