Active Directory AfterCreate Native Rules Execution Failure

Identity Security Cloud (ISC) ISC Discussion and Questions
1

Hello Everyone,
We are facing the issue in the production environment for few users during the execution of after create PowerShell scripts / native rules.
As per our findings, Active Directory After Create Rule is Throwing below error message and not able to execute the actual PowerShell script in the IQService Server. It looks like serviceResult is returning ‘&’ somehow and if ‘&’ character is there in result its throwing error.

Note: Its only failing with this error for few users only.

:::ERROR START:::
10/29/2024 03:07:01][ConnectorAfterCreateNativeRule][ERROR] Error: Item = → Message = At line:91 char:139

  • … TAi8AeUwv5sM+7uq1KxX5FjAWU1h5hKpyBVwm5QAWWpnDHE6TlXSm1S/680I SH5w …
  •                                                             ~

The ampersand (&) character is not allowed. The & operator is reserved for future use; wrap an ampersand in double quotation marks (“&”) to pass it as part of a string.

At line:144 char:17

  •             ~

The string is missing the terminator: '.

:::ERROR END::::

Thanks!

2

Hi @xg029,

You will have to to sanitize the input either by wrapping it in quotes '"&"' or by replacing & with an escaped version (‘`&’) in your script.
This ensures that (&) is treated as part of the string rather than as an operator.
Hope this helps!

3

Hi @xg029,

You can update your rule script part to something like below :

$sReader = New-Object System.IO.StringReader([System.String]$env:Request);
$xmlReader = [System.xml.XmlTextReader]([sailpoint.utils.xml.XmlUtil]::getReader($sReader));
$requestObject = New-Object Sailpoint.Utils.objects.AccountRequest($xmlReader);
$requestAsString = $env:Request
$requestAsStringUpdtd = $requestAsString.replace("&","`&")

$command = -join ($command, " -requestString '$requestAsStringUpdtd'")
Invoke-Expression $command