Access Request for two different domain

anshu77 · March 23, 2024, 5:04am

Which IIQ version are you inquiring about?

Version 8.3

Share all details related to your problem, including any error messages you may have received.

Access Request for two different domain
Hello Experts,

I have two domain controller, I am trying to add a member from 1 DC user to 2 DC’s entitlement. I saw that multi domain but I am finding it very difficult to implement.

Kindly help in the batchrun or advise.

https://community.sailpoint.com/t5/Technical-White-Papers/Integrating-with-Active-Directory-Multi-Do…

operation,application,attributeName,attributeValue,nativeIdentity
“AddEntitlement”,“Active Directory”,“memberOf”,“CN=test_group1,OU=MINE Groups,OU=MINE-MINEI ,OU=MINEEE D,DC=MIN,DC=MINEEE,DC=com”,“CN=Test User1,OU=CTD Users,OU=MINEEE Data,DC=MINEEEctd,DC=com”

Error -

sailpoint.tools.GeneralException: Exception occurred while executing the RPCRequest: Errors returned from IQService. Object reference not set to an instance of an object. at sailpoint.connector.RPCService.execute(RPCService.java:540) at sailpoint.connector.ADLDAPConnector.handleObjectRequest(ADLDAPConnector.java:6080) at sailpoint.connector.ADLDAPConnector.provision(ADLDAPConnector.java:5288) at sailpoint.connector.ConnectorProxy.provision(ConnectorProxy.java:1113) at sailpoint.integration.ConnectorExecutor.provision(ConnectorExecutor.java:160) at sailpoint.provisioning.PlanEvaluator.provision(PlanEvaluator.java:1630) at sailpoint.provisioning.PlanEvaluator.execute(PlanEvaluator.java:956) at sailpoint.provisioning.PlanEvaluator.execute(PlanEvaluator.java:839) at sailpoint.provisioning.PlanEvaluator.execute(PlanEvaluator.java:738) at sailpoint.api.Provisioner.execute(Provisioner.java:1732) at sailpoint.workflow.IdentityLibrary.provisionProject(IdentityLibrary.java:3199) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.lang.reflect.Method.invoke(Unknown Source) at sailpoint.server.ScriptletEvaluator.doCall(ScriptletEvaluator.java:134) at sailpoint.server.ScriptletEvaluator.evalSource(ScriptletEvaluator.java:63) at sailpoint.api.Workflower.evalSource(Workflower.java:5938) at sailpoint.api.Workflower.advanceStep(Workflower.java:5177) at sailpoint.api.Workflower.advance(Workflower.java:4564) at sailpoint.api.Workflower.startCase(Workflower.java:3150) at sailpoint.api.Workflower.launchSubcase(Workflower.java:5480) at sailpoint.api.Workflower.launchSubcases(Workflower.java:5373) at sailpoint.api.Workflower.advanceStep(Workflower.java:5164) at sailpoint.api.Workflower.advance(Workflower.java:4564) at sailpoint.api.Workflower.startCase(Workflower.java:3150) at sailpoint.api.Workflower.launchSubcase(Workflower.java:5480) at sailpoint.api.Workflower.launchSubcases(Workflower.java:5373) at sailpoint.api.Workflower.advanceStep(Workflower.java:5164) at sailpoint.api.Workflower.advance(Workflower.java:4564) at sailpoint.api.Workflower.startCase(Workflower.java:3150) at sailpoint.api.Workflower.launchSubcase(Workflower.java:5480) at sailpoint.api.Workflower.launchSubcases(Workflower.java:5373) at sailpoint.api.Workflower.advanceStep(Workflower.java:5164) at sailpoint.api.Workflower.advance(Workflower.java:4564) at sailpoint.api.Workflower.startCase(Workflower.java:3150) at sailpoint.api.Workflower.launchInner(Workflower.java:2819) at sailpoint.api.Workflower.launch(Workflower.java:2672) at sailpoint.api.Workflower.launchSession(Workflower.java:2542) at sailpoint.api.IdentityLifecycler.launchUpdate(IdentityLifecycler.java:144) at sailpoint.api.IdentityLifecycler.launchUpdate(IdentityLifecycler.java:164) at sailpoint.workflow.BatchRequestLibrary.runWorkflow(BatchRequestLibrary.java:406) at sailpoint.workflow.BatchRequestLibrary.launchBatchWorkflows(BatchRequestLibrary.java:365) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.lang.reflect.Method.invoke(Unknown Source) at sailpoint.server.ScriptletEvaluator.doCall(ScriptletEvaluator.java:134) at sailpoint.server.ScriptletEvaluator.evalSource(ScriptletEvaluator.java:63) at sailpoint.api.Workflower.evalSource(Workflower.java:5938) at sailpoint.api.Workflower.advanceStep(Workflower.java:5177) at sailpoint.api.Workflower.advance(Workflower.java:4564) at sailpoint.api.Workflower.startCase(Workflower.java:3150) at sailpoint.api.Workflower.launchInner(Workflower.java:2819) at sailpoint.api.Workflower.launch(Workflower.java:2672) at sailpoint.api.Workflower.launchSession(Workflower.java:2542) at sailpoint.task.BatchRequestTaskExecutor.runWrapperWorkflow(BatchRequestTaskExecutor.java:533) at sailpoint.task.BatchRequestTaskExecutor.execute(BatchRequestTaskExecutor.java:284) at sailpoint.api.TaskManager.runSync(TaskManager.java:909) at sailpoint.api.TaskManager.runSync(TaskManager.java:724) at sailpoint.scheduler.JobAdapter.execute(JobAdapter.java:128) at org.quartz.core.JobRunShell.run(JobRunShell.java:202) at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:573)

Thanks

Anshu

abhishek_chowdhury · March 23, 2024, 9:27pm

More details on how the application and entitlements are setup would help, also make sure you are setting nativeidentity in the account request to resolve this error

anshu77 · March 24, 2024, 1:45am

Hi Abhishek,

Thanks for the reply. Both DCs are configured as AD director connector independently with two different IQService connector.

Thanks
Anshu

abhishek_chowdhury · March 24, 2024, 2:54am

Okay make sure your provisioning plan is correct and native identity set for the account request

kjakubiak · March 24, 2024, 10:03am

If you could share provisioning plan xml that would help a lot. First thing I’d suggest is to check if for each ad application you have separate account request otherwise it might fail. Right now it looks like Iqservice has aprovlem with provisioning - that might be because eg. using wrong iqservice to provision to the domain.

anshu77 · March 24, 2024, 11:52am

Hi Kamil,

Thanks for the reply. Just to check I am trying if I can add entitlement using batch request, I am using only batch request as of now to see if it works or not.

operation,application,attributeName,attributeValue,nativeIdentity
“AddEntitlement”,“Active Directory”,“memberOf”,“CN=test_group1,OU=MINE Groups,OU=MINE-MINEI ,OU=MINEEE D,DC=MIN,DC=MINEEE,DC=com”,“CN=Test User1,OU=Users,OU=MINEEE Data,DC=MINEEEctd,DC=com”

Thanks
Anshu

kjakubiak · March 24, 2024, 1:42pm

If you go to entitlements catalogue, do you see this group?

anshu77 · March 25, 2024, 4:13am

Thanks again for the reply. Yes, I can see the group in entitlement catalogue.

Topic		Replies	Views
Failed provisioning of identity in Active Directory IIQ Discussion and Questions aggregation , identityiq , provisioning	5	111	April 3, 2024
Create Active Directory Group - Entitlement Update Worklofw IIQ Discussion and Questions workflows , identityiq , entitlements	6	530	January 29, 2024
Issue setting GroupScope when provisioning group to Active Directory IIQ Discussion and Questions identityiq , provisioning	5	260	January 27, 2024
Ldap connector entitlement provisioning IIQ Discussion and Questions identity-security-cloud , identityiq , provisioning , entitlements	7	116	April 24, 2024
Permission Denied: Connect - Active Directory IIQ Discussion and Questions identityiq	4	61	April 10, 2024

Access Request for two different domain

Which IIQ version are you inquiring about?

Share all details related to your problem, including any error messages you may have received.

Related Topics