Projection Code help, MV extension

All replies

• 

  

  0

  Sign in to vote

  First I like to use parenthesis so that the order of operations is clear (&& gets evaluated before ||). Second if there is a chance of an attribute not being present you should use the IsPresent method along with the short-circuit and operator && to evaluate presence before accessing the attribute.

  Your code presents an ambiguity with order of operations: do you want the groupType to be "Group" only with the first set of conditions or to apply across the board. I am going to assume that you want it to apply across the board. So I added parenthesis to clarify that. I have also added IsPresent on the extension attributes. So now it will first evaluate is the csentry a group if not skip the rest of the tests. Then it will match the regex on samaccountname. If that matches then it checks to see if extensionattribute8 is present. If not it skips the check against the value. If it is present then see if it equals bhold. If so then the whole expression is true, if it isn't true or wasn't present or the samAccountName regex didn't match  then it uses the || (or) to and evaluates the second samAccountName regex, if that matches then it looks to see if extensionAttribute15 is present if not then the whole expression is false and it skips evaluating extensionAttribute15. If it is present then it sees if it is equal to FIMPORTALGroup.

  if( 
   csentry.ObjectType.Equals("group") 
   && 
   (
     (
       Regex.Match(csentry["sAMAccountName"].Value, "SG-.+-Users").Success 
       && 
       ( 
         csentry["extensionAttribute8"].IsPresent
         &&
         csentry["extensionAttribute8"].Value.Equals("bhold")
       )
     )
    ||
    (
      Regex.Match(csentry["sAMAccountName"].Value, "SG-*").Success 
      &&
      (   
        csentry["extensionAttribute15"].IsPresent
        &&
        csentry["extensionAttribute15"].Value.Equals("FIMPORTALGROUP")
      )
    ) 
   ) 
  )
  
  

  
  
  

  ---

  David Lundell, Get your copy of FIM Best Practices Volume 1 http://blog.ilmbestpractices.com/2010/08/book-is-here-fim-best-practices-volume.html

  Saturday, April 25, 2015 4:29 PM
• 

  

  0

  Sign in to vote

  Seems to me you want to project from AD a set of groups that match one of the 2 criteria.  And the rest will be ignored.  In that case, I believe you want this

  //First check if the object is a group or something else, user for instance.

  if (csentry.ObjectType.Equals("group" ) //Is this a group?, YES or NO

  {

      //Now check for the 2 conditions, one or the other.

      if(csentry["sAMAccountName"].IsPresent && csentry["extensionAttribute8"].IsPresent)

      {

        if(Regex.Match(csentry["sAMAccountName"].Value, "SG-.+-Users").Success && csentry["extensionAttribute8"].Value.Equals("bhold")) //First condition that returns true

          {

              MVObjectType = "group";

              returntrue;

          }

      }

      else If (csentry["sAMAccountName"].IsPresent && csentry["extensionAttribute15"].Present )

      {

      if(Regex.Match(csentry["sAMAccountName"].Value, "SG-*").Success && csentry["extensionAttribute15"].Value.Equals("FIMPORTALGROUP")) //Second condition that returns true

          {

              MVObjectType = "group";

              returntrue;

          }

      }

      else

      { //This is a group, but does not fit the criteria

          MVObjectType = "unknown"

      }

  }

  else

  {    //This is not a group

      MVObjectType = "unknown"

  }

  ---

  Nosh Mernacaj, Identity Management Specialist

  Sunday, April 26, 2015 12:22 PM
• 

  

  0

  Sign in to vote

  Nosh,

  Given that the group would have to have a SamAccountName and hence the csentry["sAMAccountName"].IsPresent is not needed you and I have created logically equivalent answers. I just did it in one if statement with multiple conditions and you have it broken into multiple IF statements which is probably more readable.

  ---

  David Lundell, Get your copy of FIM Best Practices Volume 1 http://blog.ilmbestpractices.com/2010/08/book-is-here-fim-best-practices-volume.html

  Friday, May 1, 2015 4:57 AM
• 

  

  0

  Sign in to vote

  David,

  1. Agree with the "no need to check for sAMAccountName". 

  2. Agree in similarities between your version and mine also, but there are some differences.

  -When you have a complex if with many ANDs and ORs, it is harder to debug. Not impossible, but harder.

  -Separating them, decreases the processing time. So if the first condition is FALSE, code never hits the second one.

  -And of course it is easier to read.

  Lastly, there is a matter of personal preference as well.

  Cheers,

  Nosh

  ---

  Nosh Mernacaj, Identity Management Specialist

  Friday, May 1, 2015 2:07 PM
• 

  

  0

  Sign in to vote

  I concede the point on debugging as I already conceded the point on readability but this presents an opportunity to teach a small but critical fact:

       && is a short circuit operator as is ||  (& and | are not short circuit operators).

  Meaning that a && b evaluates a first and only evaluates b if a is true. Or in other words if a is false the code never hits b. Also meaning that a || b evaluates a first only evaluates b if a is false. Or in other words if a is true the code never hits b.

  Therefore the processing time is equal.

  A key reason why the short circuit operators get used is so that you can check for presence and the value of the attribute in the same if statement:

  if (  csentry["extensionAttribute15"].IsPresent       &&
        csentry["extensionAttribute15"].Value.Equals("FIMPORTALGROUP") )
  

  Because of the short circuit if extensionAttribute15 isn't present it won't try to access its value and hence we won't have to worry about an AttributeNotPresentException being thrown. If the & it used rather than && then it would throw the exception if extensionAttribute15 isn't present because then it does evaluate both sides.

  Otherwise we would have to do it like so:

  if (  csentry["extensionAttribute15"].IsPresent     )

  {
       if ( csentry["extensionAttribute15"].Value.Equals("FIMPORTALGROUP") )

      {

       }

  }

  But fortunately, we can use the short circuit operator to check for presence and compare the value of an attribute in the same if statement.
  

  ---

  David Lundell, Get your copy of FIM Best Practices Volume 1 http://blog.ilmbestpractices.com/2010/08/book-is-here-fim-best-practices-volume.html

  • Marked as answer by Russ Lema Wednesday, May 13, 2015 2:05 PM

  Friday, May 1, 2015 3:11 PM
• 

  

  0

  Sign in to vote

  David,

  I will concede the && to you. 
  Thanks for the knowledge sharing. 

  Thank you,

  Nosh

  ---

  Nosh Mernacaj, Identity Management Specialist

  Friday, May 1, 2015 3:42 PM
• 

  

  0

  Sign in to vote

  Thanks all for the help this was able to resolve my issue.

  I appreciate it

  ---

  Russell Lema

  Wednesday, May 13, 2015 2:06 PM