Account lookup from web services connector rule

mario_rod · November 29, 2024, 8:50pm

Runing into an issue where an account attribute (versionId) is not being passed into the Web Services Before Operation Rule during an “Add Entitlement” operation:
Only the “roleType” attrib is being passed in. No other account attributes are sent:
ProvisioningPlan.AttributeRequest attReq : Util.iterate(accReq.getAttributeRequests()

I would have thought that the entire account would be passed in and not just the entitlement/roleType being requested in the access profile.

Tried getting access to the full acct:

ConnectorContext context = getContext();
String applicationName = "Funding Application";
String nativeIdentity = "54887877";
Application appl = context.getObjectByName(Application.class, applicationName);
if (application != null) {
    IdentityService identityService = new IdentityService(context);
     Link accountLink = identityService.getLink(application, nativeIdentity);
.......

But getting “ConnectorContext not found in namespace” error:

Exception occurred while performing 'Modify' operation on identity '54887877': Error: Error executing before operation rule for endpoint 'Add User': BeanShell script error: bsh.EvalError: Sourced file: inline evaluation of: ``import java.util.ArrayList; import java.util.HashMap; import java.util.Map; impo . . . '' : Typed variable declaration : **Class: ConnectorContext not found in namespace** : at Line: 21 : in file: inline evaluation of: ``import java.util.ArrayList; import java.util.HashMap; import java.util.Map; impo . . . '' : ConnectorContext BSF info

How can the account be accessed from within the rule so that “versionId” attrib can be pulled?

jrossicare · December 1, 2024, 11:08pm

No, it doesnt pass the whole thing, only the delta of what is being requested/updated.

I wish there was an option to pass the whole thing or not.

You have two options.

Have a loopback/reverse lookup in Before Operation rule, like you suggested. See this full thread:

Reverse entitlement aggregation for Web Services connector - Identity Security Cloud (ISC) / ISC Community Knowledge Base - SailPoint Developer Community

Create dummy attributes in Provisioning Policies, to pass the account attributes required.

Native Identity Issue with Web Service Connector - Identity Security Cloud (ISC) / ISC Discussion and Questions - SailPoint Developer Community

mario_rod · December 3, 2024, 4:01pm

Thanks @jrossicare
Regarding the 2nd option:

Looking at the code from the link. In my case it’s the src attrib “versionId” thats not getting passed into the add entitlement op. So is this what it would look like?:

GET /beta/sources/<id>/provisioning-policies
[
    {
        "name": "MYSOURCE_CREATE_PP",
        "description": null,
        "usageType": "CREATE",
        "fields": [
            {
                "name": "tmpVersionId",
                "transform": {
                    "type": "identityAttribute",
                    "attributes": {
                        "name": "**??**"
                    }
                },
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            },

Where would the value for “name” in the transform come from? Would “versionId” need to be added to the identity profile? (based on this doc, only identityAttribute transform type can be used in provisioning policies, accountAttribute type won’t work Transforms in Provisioning Policies | SailPoint Developer Community)

udayputta · December 3, 2024, 7:09pm

Yes in Add Entitlement you will get only account attribute which you made as “account Id” and the requested entitlement. In order to get additional account attributes you can do this.

Add a Before Provisioning Rule and write a logic to check if the account operation is Modify and add the required other account attribute values to the account request.
In the Before Operation Rule make a get call using the native identity and pass the required versionId value to the input json.

My suggestion would be using BeforeProvisioningRule because it will be cleaner process.

Thanks,
Uday

jrossicare · December 3, 2024, 10:24pm

Hi @mario_rod

Is Version ID an account attribute or Identity attribute?

If account attribute, you can use the following in the fields part

            {
                "name": "tmpVersionId",
                "transform": {
                    "type": "accountAttribute",
                    "attributes": {
                        "attributeName": "versionId",
                        "sourceName": "mySourceName"
                    }
                },
                "attributes": {},
                "isRequired": true,
                "type": "string",
                "isMultiValued": false
            },

if it is an identity attribute

            {
                "name": "tmpVersionId",
                "transform": {
                    "type": "identityAttribute",
                    "attributes": {
                        "name": "versionId"
                    }
                },
                "attributes": {},
                "isRequired": true,
                "type": "string",
                "isMultiValued": false
            },

mario_rod · December 3, 2024, 11:22pm

Hi @jrossicare

It’s an account attrib. but what threw me off was this

I will give that a shot and report back

Thanks again!

system · February 2, 2025, 5:38am

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.