Implement unique value generation for MVO/CSO attributes

[JayVDZ]

Summary

JIM needs the ability to dynamically generate unique values for attributes that are typically owned by IDAM teams rather than source systems like HR. Currently, demo data includes IT-owned attributes in the HR CSV feed that wouldn't realistically come from HR:

• Email address
• User Principal Name (UPN)
• sAMAccountName

These attributes need to be generated by JIM based on business rules, with uniqueness validation against existing values.

Problem Statement

In real-world deployments:

1. HR systems provide identity data (name, employee ID, department, etc.)
2. IT/IDAM teams are responsible for generating technical identifiers (email, UPN, sAMAccountName)
3. These technical identifiers must be unique across the directory
4. Values often follow patterns like firstname.lastname with numeric suffixes for collisions (e.g., joe.bloggs, joe.bloggs1, joe.bloggs2)

Proposed Solution

Implement an expression system or mechanism that can:

1. Generate candidate values based on templates/expressions (e.g., {firstName}.{lastName})
2. Check uniqueness against existing MVOs and/or CSOs
3. Apply collision handling (e.g., append incrementing numbers)
4. Only generate when needed (i.e., when source doesn't provide a value)

Implementation Options to Explore

Option 1: Enhanced Expression Functions

Add new expression functions for sync rules:

UniqueValue("{firstName}.{lastName}", "accountName")

This would:

• Generate the base value from the template
• Query existing MVOs for the target attribute
• Append numeric suffix if collision detected
• Return the unique value

Option 2: Dedicated Unique Value Generator

A separate mechanism/configuration that:

• Defines templates for specific attributes
• Specifies uniqueness scope (MVO attribute, CSO attribute, external query)
• Handles the generation workflow

Option 3: Workflow-Based Generation

If/when JIM has a workflow system:

• Trigger unique value generation as a workflow step
• Allow approval/review of generated values
• Support manual override

Common Patterns to Support

1. Account Name Generation

   • Template: {firstName}.{lastName}
   • Collision: Append number (joe.bloggs1)
   • Scope: Unique across all MVOs

2. Email Generation (derived from account name)

   • Template: {accountName}@{domain}
   • Depends on account name being generated first

3. UPN Generation (derived from account name)

   • Template: {accountName}@{upnSuffix}
   • Depends on account name being generated first

Considerations

• Sync Rule Dependencies: If using sync rules, need to handle attribute generation order (account name before email)
• Performance: Uniqueness checks need to be efficient, especially during bulk imports
• Predictability: Administrators should be able to preview/predict generated values
• Audit Trail: Track that values were system-generated vs. sourced

Acceptance Criteria

• Ability to define templates for generating attribute values
• Uniqueness validation against existing MVOs
• Collision handling with configurable suffix strategy
• Conditional generation (only when source value is empty/null)
• Works with current sync rule system
• Documented approach for common patterns (account name, email, UPN)

Related

This will enable removal of IT-owned attributes from demo HR CSV data, making the demo more realistic.

[JayVDZ]

Closed by PR #243 - Issue #227 implementation is complete with selective attribute import and External ID locking support.