Accessing Identity from Cloud Gateway

Which IIQ version are you inquiring about?

8.4p2

Share all details about your problem, including any error messages you may have received.

Hi everyone,

i have a webservice application going through a web gateway that i’'m working on

i’m trying to run a before provisioning rule on that app that start by getting the identity from the plan

–> nativeidentity = plan.getnativeidentity()

then i want to get that identity as an Identity object so i do a simple context.getobjectbyname(Identity.class, nativeidentity)

however this is alway returning null …

anyone can help me understand whats going on ? and way to bypass that ?

thanks !

Hicham

Hi @bardawilh

Try using
Identity identity = context.getObjectByName(Identity.class, provisioningPlan.getNativeIdentity());

is this returning null as well?

no i can read the plan and get the native identity, but quering the db is the issue i think but there must be some way to do it…

hi @Mostafa_Baraka tried that, also getting null…

if you are printing the plan, and you can see the plan is getting printed and then when you say it is throwing null. when you do “Plan.getNativeIdentity())”

Can you share your before provisioning rule here, we can see , and can find, why it is throwing null pointer exception.

so if your nativeidentity here is not null, then you would need to do context.getObjectByName(Identity.class, nativeidentity) provided that the nativeidentityis a username for an identity in your instance

if it is not a username for an identity, then context.getObjectByName(Identity.class, nativeidentity) will return null

so here’s my before rule, its job is to only delete account if all entitlements are removed,

the issue here is that Identity identity = context.getObjectbyName(Identity.class, identityName); after this, we get identity = null

import sailpoint.object.ProvisioningPlan;
import sailpoint.object.ProvisioningPlan.AccountRequest;
import sailpoint.object.ProvisioningPlan.AttributeRequest;
import sailpoint.object.Identity;
import sailpoint.object.Application;
import sailpoint.object.Link;
import sailpoint.api.IdentityService;
import sailpoint.tools.Util;
import java.util.*;

import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.log4j.Level;
import org.apache.log4j.Logger;

Log log = LogFactory.getLog("BeforeProvisioning");
Logger.getLogger("BeforeProvisioning").setLevel(Level.DEBUG);

try {
    if (plan == null) return;

log.info("plan: " + plan.toXml());

    String identityName = plan.getNativeIdentity();
    Identity identity = context.getObjectbyName(Identity.class, identityName);
    
   

    log.info("Starting BeforeProvisioning Rule for: " + identityName);
    log.info("identity from get context by name is " + identity);
    
    List accountRequests = plan.getAccountRequests();
    log.info("account request for: " + identityName + "is: " + plan.getAccountRequests());
    log.info("account request list is: " + accountRequests );
    if (accountRequests != null) {
        for (AccountRequest accReq : accountRequests) {
            String appName = accReq.getApplicationName();
            log.info("account request app name: " + appName );

            if ( AccountRequest.Operation.Modify.equals(accReq.getOperation())) {
                
                AttributeRequest roleReq = accReq.getAttributeRequest("roleId");
                log.info("attribute request is: " + roleReq.toXml() );

                if (roleReq != null && ProvisioningPlan.Operation.Remove.equals(roleReq.getOp())) {                   


                    // Get current state from Link
                    IdentityService ids = new IdentityService(context);
                    Application app = context.getObjectByName(Application.class, appName);
                    log.info("inside remove operation, application name to get link is " + app + "identity is" + identity + " account request native identity is " + accReq.getNativeIdentity() );
                   
                     //identityservice.getlinks
                    Link link = ids.getLink(identity, app, null, accReq.getNativeIdentity());
                    log.info("attribute request links are: " + link );
                    
                    if (link == null) {
                        log.warn("No link found for " + identityName + ". Skipping logic.");
                        continue;
                    }

                    Object val = link.getAttribute("roleId");
                    List currentRoles = new ArrayList();
                    if (val instanceof List) currentRoles.addAll((List) val);
                    else if (val instanceof String) currentRoles.add(val);

                    log.info("Current roles on Link: " + currentRoles);

                    // Determine what is being removed
                    Object removingVal = roleReq.getValue();
                    List rolesToRemove = new ArrayList();
                    if (removingVal instanceof List) rolesToRemove = (List) removingVal;
                    else if (removingVal instanceof String) rolesToRemove.add(removingVal);

                    // Logic: Calculate delta
                    currentRoles.removeAll(rolesToRemove);
                    log.info("Remaining roles: " + currentRoles.size());

                    if (currentRoles.isEmpty()) {
                        log.warn("ZERO roles remain. PIVOTING to DELETE for " + accReq.getNativeIdentity());
                        accReq.setOperation(AccountRequest.Operation.Delete);
                        accReq.setAttributeRequests(null); 
                    }
                }
            }
        }
    }
} catch (Exception e) {
    log.error("Critical Error in Rule: " + e.getMessage());
    log.error(e);
}

here is the catalina log from the web gateway:

2026-01-28T17:34:27,419  INFO https-jsse-nio-8443-exec-8 BeforeProvisioning-OneName:166 - Starting BeforeProvisioning Rule for: X12345
2026-01-28T17:34:27,419  INFO https-jsse-nio-8443-exec-8 BeforeProvisioning-OneName:166 - identity from get context by name is null
2026-01-28T17:34:27,420  INFO https-jsse-nio-8443-exec-8 BeforeProvisioning-OneName:166 - account request for: X12345 is: [sailpoint.object.ProvisioningPlan$AccountRequest@7fe51a57]
2026-01-28T17:34:27,420  INFO https-jsse-nio-8443-exec-8 BeforeProvisioning-OneName:166 - account request list is: [sailpoint.object.ProvisioningPlan$AccountRequest@7fe51a57]
2026-01-28T17:34:27,420  INFO https-jsse-nio-8443-exec-8 BeforeProvisioning-OneName:166 - account request app name: AppName (Internal)
2026-01-28T17:34:27,420  INFO https-jsse-nio-8443-exec-8 BeforeProvisioning-OneName:166 - account request list is: [sailpoint.object.ProvisioningPlan$AccountRequest@7fe51a57]
2026-01-28T17:34:27,420  INFO https-jsse-nio-8443-exec-8 BeforeProvisioning-OneName:166 - account request app name: AppName(Internal)
2026-01-28T17:34:27,420  INFO https-jsse-nio-8443-exec-8 BeforeProvisioning-OneName:166 - attribute request is: <?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE AttributeRequest PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<AttributeRequest name="roleId" op="Remove" value="69296fa234df7cc139f5a747">
  <Attributes>
    <Map>
      <entry key="assignment" value="true"/>
    </Map>
  </Attributes>
</AttributeRequest>

2026-01-28T17:34:27,421  INFO https-jsse-nio-8443-exec-8 BeforeProvisioning-OneName:166 - inside remove operation, application name to get link is sailpoint.object.Application@2599e41a[id=0a73008799b81ac78199b947a1ac0233,name=AppName(Internal)]identity isnull account request native identity is d2e6213e-3dc2-43d8-8381-7100b30c7033
2026-01-28T17:34:27,422 ERROR https-jsse-nio-8443-exec-8 BeforeProvisioning-OneName:166 - Critical Error in Rule: null


<!DOCTYPE ProvisioningPlan PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<ProvisioningPlan nativeIdentity="X12345">
  <AccountRequest application="AppName(Internal)" nativeIdentity="d2e6213e-3dc2-43d8-8381-7100b30c7033" op="Modify">
    <Attributes>
      <Map>
        <entry key="flow" value="AccessRequest"/>
        <entry key="id" value="0a7300889ba21f98819ba38fb5f50f86"/>
        <entry key="interface" value="LCM"/>
        <entry key="operation" value="EntitlementRemove"/>
      </Map>
    </Attributes>
    <AttributeRequest name="roleId" op="Remove" value="690c98291457efe100925e64">
      <Attributes>
        <Map>
          <entry key="assignment" value="true"/>
        </Map>
      </Attributes>
    </AttributeRequest>
  </AccountRequest>
  <Attributes>
    <Map>
	  <entry key="identityRequestId" value="0000656792"/>
      <entry key="requester" value="B9773"/>
      <entry key="source" value="LCM"/>
    </Map>
  </Attributes>
</ProvisioningPlan>

There are two issues i found in your code first the method is wrong it should be Identity identity = context.getObjectbyName(Identity.class, identityName);, It should be capital B. Identity identity = context.getObjectbyName(Identity.class, identityName);

can you use " Identity identity = plan.getIdentity();" and try it??

so i can do a queryoption to the DB from the Web Gateway ? because i understood that the issue is a db access from that gateway

yes sorry this is typo its actually correct in the lab, so the plan.getIdentity() returns null also…

Hi Hicham,

If the “before provisioning” rule runs on the Cloud Gateway server, then it would not be possible to access the database.

What are you specifying for “beforeProvisionRuleLocation” in your application definition?

hey Paul, not sure what you mean ? i don’t remember being able to specify anything

Hi Hicham,

It may be another one of the undocumented settings that IIQ is famous for.

Anyhow, edit your application from the debug page and add:

<entry key="beforeProvisionRuleLocation" value="proxy"/>

aha ! interesting setting ! should i set it to <entry key="beforeProvisionRuleLocation" value="server"/> in this case ?

Can refer to this post here

https://community.sailpoint.com/t5/IdentityIQ-Forum/Unable-To-Get-Identity-or-Any-IIQ-Objects-While-Provisioning/m-p/195414