AD Account BP Rule error

mgrant · December 20, 2024, 11:51pm

Hi Team,

I am seeing the following error with the AD Create via the Cloud BP Rule. Any thoughts on what may be causing it?

["RuleExecutionException (ruleName\u003dAgloan_Active Directory BeforeProvisioning): BSFException: BeanShell script error: Sourced file: inline evaluation of: `` import java.util.*; import org.apache.commons.lang.StringUtils; . . . \u0027\u0027 : Incorrect type returned from method: calculateActiveOUCan\u0027t assign void value to java.lang.String: Can\u0027t assign void value to java.lang.String : at Line: 215 : in file: inline evaluation of: `` import java.util.*; import org.apache.commons.lang.StringUtils; . . . \u0027\u0027 : calculateActiveOU ( accountRequest , employeeType ) \n BSF info: Agloan_Active Directory BeforeProvisioning at line: 0 column: columnNo, caused by org.apache.bsf.BSFException: BeanShell script error: Sourced file: inline evaluation of: `` import java.util.*; import org.apache.commons.lang.StringUtils; . . . \u0027\u0027 : Incorrect type returned from method: calculateActiveOUCan\u0027t assign void value to java.l... 0 column: columnNo"]

iamnithesh · December 21, 2024, 12:49am

It seems like method calculateActiveOU in your rule has some issue. Can you share the java code of your rule?

vasanthrajsp29 · December 21, 2024, 4:49am

Hi @mgrant,

Pls share code here to troubleshoot further

-Vasanth

mgrant · December 21, 2024, 1:16pm

Here you go

{
	"jwsHeader": "eyJhbGciOiJFUzI1NiJ9",
	"jwsSignature": "3_SEHnszWclLitXyPCrwILF40FQam1SXt60QKvRqI5myaZIKvhKk5WxxwNd4FD3j5nboBAJpF02tEhvBQgGg8A",
	"version": 1,
	"self": {
		"type": "RULE",
		"id": "38d5c9a466934eaeada0f31e6c9ccbb8",
		"name": "Agloan_Active Directory BeforeProvisioning"
	},
	"object": {
		"description": "",
		"type": "BeforeProvisioning",
		"signature": {
			"input": [],
			"output": null
		},
		"sourceCode": {
			"version": "2024-10-17 03:08:06",
			"script": "\n    \n    import java.util.*;\n    import org.apache.commons.lang.StringUtils;\n    import sailpoint.object.Identity;\n    import sailpoint.object.ProvisioningPlan;\n    import sailpoint.object.ProvisioningPlan.AccountRequest;\n    import sailpoint.object.ProvisioningPlan.AttributeRequest;\n    import sailpoint.object.*;\n    import sailpoint.rule.Account;\n    import sailpoint.tools.GeneralException;\n    import sailpoint.tools.Util;\n    import java.util.regex.Matcher;\n    import java.util.regex.Pattern;\n    import java.text.Normalizer;\n    import java.text.Normalizer.Form;\n    import java.text.DateFormat;\n    import java.text.ParseException;\n    import java.text.SimpleDateFormat;\n    import java.util.Calendar;\n    import java.util.Date;\n\n\n\n    Identity identity = plan.getIdentity();\n\n    String domainGroup = \"Domain Users\";\n\n    String name=(String) identity.getName();\n    String appName = application.getName();\n    String attributeToSearch = \"mail\";\n    String initialCalculation= \"NA\";\n\n   public AttributeRequest getAttributeRequest(String attributeName, Object attributeValue) {\n          AttributeRequest attributeRequest = new ProvisioningPlan.AttributeRequest();\n          attributeRequest.setOperation(ProvisioningPlan.Operation.Set);\n          attributeRequest.setName(attributeName);\n          attributeRequest.setValue(attributeValue);\n          return attributeRequest;\n      }\n\n\n\n    // Add AttributeRequest\n  public AttributeRequest newAttributeRequest(String attributeName, Object attributeValue) {\n    AttributeRequest attributeRequest = new ProvisioningPlan.AttributeRequest();\n    attributeRequest.setName(attributeName);\n    attributeRequest.setOperation(ProvisioningPlan.Operation.Set);\n    attributeRequest.setValue(attributeValue);\n    return attributeRequest;\n  }\n\n \n\n    //Remove AttributeRequest\n  public AttributeRequest newAttributeRemoveRequest(String attributeName, Object attributeValue) {\n    AttributeRequest attributeRequest = new ProvisioningPlan.AttributeRequest();\n    attributeRequest.setName(attributeName);\n    attributeRequest.setOperation(ProvisioningPlan.Operation.Remove);\n    attributeRequest.setValue(attributeValue);\n    return attributeRequest;\n  }\n\n    public Account getAccount(AccountRequest accountRequest) {\n            String appName = accountRequest.getApplicationName();\n            String nativeId = accountRequest.getNativeIdentity();\n            Account account =  idn.getAccountByNativeIdentity(appName,nativeId);\n              return account;\n          }\n\n     public String calculateActiveOU(AccountRequest accountRequest, String employeeType) {\n        if(employeeType.equalsIgnoreCase(\"Employee\")) {\n          return employeeOu;\n        } else if(employeeType.equalsIgnoreCase(\"Consultant\")) {\n          return consultantOu;\n        } else if(employeeType.equalsIgnoreCase(\"Staffing Agency Worker\")) {\n          return agencyWorkerOu;\n        } else if(employeeType.equalsIgnoreCase(\"Board of Director\")) {\n          return bodOu;\n        }  \n      }\n\n\n\n    public void addAttributeToAccountRequestArguments(AccountRequest accountRequest, String attributeName, Object attributeValue) {\n          if(accountRequest != null && attributeName != null) {\n            Map arguments = accountRequest.getArguments();\n            if(arguments == null){\n              arguments = new HashMap();\n            }\n            arguments.put(attributeName, attributeValue);\n            accountRequest.setArguments(new Attributes(arguments));\n          }\n  }\n\n\n        // Generate the initial password based on the first two characters of firstname, the last four digit SN, first two characters of the lastname\n      public String getInitialPassword(String firstname, String lastname, String lastFourDigit) {\n      String initialPassword = \"\";\n      if(firstname !=null && lastname !=null && lastFourDigit !=null && !firstname.isEmpty() && !lastname.isEmpty() && !lastFourDigit.isEmpty()){\n        //sometimes the HR data can contain the firstname/preferred name or lastname with only one character.\n        // If firstname is single char, try to use the legalFirstName, else use duplicate the firstname first character for the password generation calculation\n        if(firstname.length() == 1){\n        \n            //If firstname is less than two characters, duplicate the firstname first character twice to make it a two character value  (i.e F becomes FF)\n            firstname = firstname + firstname;\n        }\n        //If lastname is less than two characters, duplicate the lastname first character twice to make it a two character value  (i.e F becomes FF)\n        if(lastname.length() == 1){\n          lastname = lastname + lastname;\n        }\n        initialPassword = firstname.substring(0, 2).toUpperCase() + lastFourDigit + lastname.substring(0, 2).toLowerCase();\n      }\n        return initialPassword;\n      }\n\n\n       \n      //Return a randomly generated string for password \n        public String getRandomGeneratedString() {\n            String randomString = \"\";\n            String charset = \"ABNCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890!@#$%^&*()_+-={}[]:;<>?,./\";\n            int index;\n            int len;\n            Random rnd = new Random();\n            len = charset.length();\n            for (int count = 0; count < 18; count++) {\n                index = rnd.nextInt(len);\n                randomString += charset.charAt(index);\n            }\n            return randomString;\n        }\n\n\n/* *******   MAIN **** */\n\n     String currentLcs = \"\";\n            String calculatedOu = \"\";\n            String employeeOu =\"\";\n            String bodOu = \"\";\n            String consultantOu=\"\";\n            String terminatedOu=\"\";\n            String lastFourDigit=\"\";\n            String agencyWorkerOu=\"\";\n            String loaOu=\"\";\n\n              String firstname = \"\";\n              String lastname = \"\";\n\n\n            String nativeIdentity = \"\";\n            String employeeType = \"\";\n            String nonEmployeeLast4SSN = \"\";\n            String employeeId = \"\";\n            String adMailNickName = \"\";\n\n  \n\n  if (plan != null)\n  {\n                      \n            if(identity != null)\n            {\n   \n                terminatedOu = \"OU=Deprovisioned,OU=Users,OU=Managed Objects,DC=agloan,DC=ads\";\n                employeeOu = \"OU=Zone1,OU=Users,OU=Managed Objects,DC=agloan,DC=ads\";\n                bodOu = \"OU=BOD,OU=Zone2,OU=Users,OU=Managed Objects,DC=agloan,DC=ads\";\n                consultantOu = \"OU=NonEmployees,OU=Zone1,OU=Users,OU=Managed Objects,DC=agloan,DC=ads\";\n                agencyWorkerOu = \"OU=NonEmployees,OU=Zone1,OU=Users,OU=Managed Objects,DC=agloan,DC=ads\";\n                loaOu = \"OU=LOA,OU=Users,OU=Managed Objects,DC=agloan,DC=ads\";\n                \n\n                currentLcs = (String) identity.getAttribute(\"cloudLifecycleState\");\n \n                lastFourDigit = identity.getAttribute(\"lastFourDigit\");\n\n                employeeType = identity.getAttribute(\"employeeType\");\n\n                 firstname = identity.getStringAttribute(\"firstname\");\n                 lastname = identity.getStringAttribute(\"lastname\");\n\n                  calculatedOu = identity.getAttribute(\"adoulocation\");\n             \n            }\n\n            //If plan is not null then get the account request\n            List accountRequests = plan.getAccountRequests();\n\n            if(accountRequests != null)\n            {\n                for(AccountRequest accountRequest : accountRequests)\n                {   \n                    AccountRequest.Operation op = accountRequest.getOperation();\n                    log.debug(\"Nchs AD Provisioning Rule: currentLcs state: \"+currentLcs);\n                     nativeIdentity = accountRequest.getNativeIdentity();\n\n                      String samaccountname = identity.getStringAttribute(\"adloginid\");\n                      if(samaccountname == null && accountRequest.getAttributeRequest(\"sAMAccountName\") != null) {\n                       samaccountname = accountRequest.getAttributeRequest(\"sAMAccountName\").getValue();\n               }    \n\n                          //store it on the arguments of the account request for connector after rules\n          if(samaccountname != null && !samaccountname.isEmpty()) {\n          addAttributeToAccountRequestArguments(accountRequest, \"samaccountname\", samaccountname);\n                  }\n\n                  //Request Email\n         if((AccountRequest.Operation.Create == op || AccountRequest.Operation.Modify == op) && (\"newemployee\".equalsIgnoreCase(currentLcs) || \"active\".equalsIgnoreCase(currentLcs) || \"prehire\".equalsIgnoreCase(currentLcs))) {\n          AttributeRequest memberOfReq = accountRequest.getAttributeRequest(\"memberOf\");\n          \n                 }\n\n                    if((AccountRequest.Operation.Create == op) && (\"newemployee\".equalsIgnoreCase(currentLcs) || \"active\".equalsIgnoreCase(currentLcs) || \"prehire\".equalsIgnoreCase(currentLcs))) {\n\n                                accountRequest.add(getAttributeRequest(\"AC_NewParent\", calculateActiveOU(accountRequest, employeeType)));\n                      \n                                String password = getInitialPassword(firstname, lastname, lastFourDigit);\n                              \n                    }\n\n                  \n\n                    //MODIFY\n                    if(op != null && AccountRequest.Operation.Modify.equals(op)){\n                         AttributeRequest memberOfReq = accountRequest.getAttributeRequest(\"memberOf\");\n                    \n                      \n                    }\n\n                    //Move OU if any of the following is change: employeeType\n                    if(\"active\".equalsIgnoreCase(currentLcs) && AccountRequest.Operation.Modify.equals(op)) {\n                        AttributeRequest employeeTypeReq = accountRequest.getAttributeRequest(\"employeeType\");\n                        if( employeeTypeReq != null && employeeTypeReq.getValue().toString().equalsIgnoreCase(\"Employee\") )\n                         {\n                            log.info(\"AgLoan AD Before Provisioning change OU\");\n                            accountRequest.add(newAttributeRequest(\"AC_NewParent\", calculatedOu)); //moving OU when employeeType changes to Employee\n                         }\n                    }\n\n\n                    if(op != null && AccountRequest.Operation.Enable.equals(op))\n                    {\n                        \n                          log.info(\"AgLoan AD Before Provisioning change OU Rehire\");\n                            accountRequest.add(newAttributeRequest(\"AC_NewParent\", calculatedOu)); //moving OU when rehire                        \n                        \n                    }\n                    \n\n                    if(op != null && \"loa\".equalsIgnoreCase(currentLcs)  && AccountRequest.Operation.Modify.equals(op))\n                    {\n                        \n                          log.info(\"AgLoan AD Before Provisioning change OU loa\");\n                            accountRequest.add(newAttributeRequest(\"AC_NewParent\", loaOu)); //moving OU when loa                        \n                        \n                    }\n\n\n                    // DISABLE\n                    if(op != null && AccountRequest.Operation.Disable.equals(op))\n                    {\n                        \n                            Object currentGroups = idn.getRawAccountAttribute(accountRequest.getApplicationName(), accountRequest.getNativeIdentity(), \"memberOf\");\n                                \n                           accountRequest.add(newAttributeRequest(\"AC_NewParent\", terminatedOu));\n    \n                                // Set termination date in the description\n                                Date date = new Date();\n    \n                                SimpleDateFormat descriptionDateFormatter = new SimpleDateFormat(\"MM/dd/yyyy HH:mm:ss\");\n                                String descriptionDate = descriptionDateFormatter.format(date);\n                                accountRequest.add(newAttributeRequest(\"description\", \"Deprovisioned on \" + descriptionDate + \" by AGLOAN\\\\svc_IQService\" ));\n         \n    \n                                //Scramble the password \n                                String scrambledPassword  = getRandomGeneratedString();\n                                accountRequest.add(newAttributeRequest(\"password\", scrambledPassword));                       \n                        \n                    }\n                }\n            }           \n        log.info(\"Agloan AD Provisioning Rule is complete\");\n  }\n  \n   "
		},
		"attributes": {
			"sourceVersion": "2024-10-17 03:08:06"
		},
		"id": "38d5c9a466934eaeada0f31e6c9ccbb8",
		"name": "Agloan_Active Directory BeforeProvisioning",
		"created": "2024-10-11T14:15:43.849Z",
		"modified": "2024-10-17T03:08:07.320Z"
	}
}

mgrant · December 21, 2024, 1:16pm

Hi Vasanth,

Here you go

{
	"jwsHeader": "eyJhbGciOiJFUzI1NiJ9",
	"jwsSignature": "3_SEHnszWclLitXyPCrwILF40FQam1SXt60QKvRqI5myaZIKvhKk5WxxwNd4FD3j5nboBAJpF02tEhvBQgGg8A",
	"version": 1,
	"self": {
		"type": "RULE",
		"id": "38d5c9a466934eaeada0f31e6c9ccbb8",
		"name": "Agloan_Active Directory BeforeProvisioning"
	},
	"object": {
		"description": "",
		"type": "BeforeProvisioning",
		"signature": {
			"input": [],
			"output": null
		},
		"sourceCode": {
			"version": "2024-10-17 03:08:06",
			"script": "\n    \n    import java.util.*;\n    import org.apache.commons.lang.StringUtils;\n    import sailpoint.object.Identity;\n    import sailpoint.object.ProvisioningPlan;\n    import sailpoint.object.ProvisioningPlan.AccountRequest;\n    import sailpoint.object.ProvisioningPlan.AttributeRequest;\n    import sailpoint.object.*;\n    import sailpoint.rule.Account;\n    import sailpoint.tools.GeneralException;\n    import sailpoint.tools.Util;\n    import java.util.regex.Matcher;\n    import java.util.regex.Pattern;\n    import java.text.Normalizer;\n    import java.text.Normalizer.Form;\n    import java.text.DateFormat;\n    import java.text.ParseException;\n    import java.text.SimpleDateFormat;\n    import java.util.Calendar;\n    import java.util.Date;\n\n\n\n    Identity identity = plan.getIdentity();\n\n    String domainGroup = \"Domain Users\";\n\n    String name=(String) identity.getName();\n    String appName = application.getName();\n    String attributeToSearch = \"mail\";\n    String initialCalculation= \"NA\";\n\n   public AttributeRequest getAttributeRequest(String attributeName, Object attributeValue) {\n          AttributeRequest attributeRequest = new ProvisioningPlan.AttributeRequest();\n          attributeRequest.setOperation(ProvisioningPlan.Operation.Set);\n          attributeRequest.setName(attributeName);\n          attributeRequest.setValue(attributeValue);\n          return attributeRequest;\n      }\n\n\n\n    // Add AttributeRequest\n  public AttributeRequest newAttributeRequest(String attributeName, Object attributeValue) {\n    AttributeRequest attributeRequest = new ProvisioningPlan.AttributeRequest();\n    attributeRequest.setName(attributeName);\n    attributeRequest.setOperation(ProvisioningPlan.Operation.Set);\n    attributeRequest.setValue(attributeValue);\n    return attributeRequest;\n  }\n\n \n\n    //Remove AttributeRequest\n  public AttributeRequest newAttributeRemoveRequest(String attributeName, Object attributeValue) {\n    AttributeRequest attributeRequest = new ProvisioningPlan.AttributeRequest();\n    attributeRequest.setName(attributeName);\n    attributeRequest.setOperation(ProvisioningPlan.Operation.Remove);\n    attributeRequest.setValue(attributeValue);\n    return attributeRequest;\n  }\n\n    public Account getAccount(AccountRequest accountRequest) {\n            String appName = accountRequest.getApplicationName();\n            String nativeId = accountRequest.getNativeIdentity();\n            Account account =  idn.getAccountByNativeIdentity(appName,nativeId);\n              return account;\n          }\n\n     public String calculateActiveOU(AccountRequest accountRequest, String employeeType) {\n        if(employeeType.equalsIgnoreCase(\"Employee\")) {\n          return employeeOu;\n        } else if(employeeType.equalsIgnoreCase(\"Consultant\")) {\n          return consultantOu;\n        } else if(employeeType.equalsIgnoreCase(\"Staffing Agency Worker\")) {\n          return agencyWorkerOu;\n        } else if(employeeType.equalsIgnoreCase(\"Board of Director\")) {\n          return bodOu;\n        }  \n      }\n\n\n\n    public void addAttributeToAccountRequestArguments(AccountRequest accountRequest, String attributeName, Object attributeValue) {\n          if(accountRequest != null && attributeName != null) {\n            Map arguments = accountRequest.getArguments();\n            if(arguments == null){\n              arguments = new HashMap();\n            }\n            arguments.put(attributeName, attributeValue);\n            accountRequest.setArguments(new Attributes(arguments));\n          }\n  }\n\n\n        // Generate the initial password based on the first two characters of firstname, the last four digit SN, first two characters of the lastname\n      public String getInitialPassword(String firstname, String lastname, String lastFourDigit) {\n      String initialPassword = \"\";\n      if(firstname !=null && lastname !=null && lastFourDigit !=null && !firstname.isEmpty() && !lastname.isEmpty() && !lastFourDigit.isEmpty()){\n        //sometimes the HR data can contain the firstname/preferred name or lastname with only one character.\n        // If firstname is single char, try to use the legalFirstName, else use duplicate the firstname first character for the password generation calculation\n        if(firstname.length() == 1){\n        \n            //If firstname is less than two characters, duplicate the firstname first character twice to make it a two character value  (i.e F becomes FF)\n            firstname = firstname + firstname;\n        }\n        //If lastname is less than two characters, duplicate the lastname first character twice to make it a two character value  (i.e F becomes FF)\n        if(lastname.length() == 1){\n          lastname = lastname + lastname;\n        }\n        initialPassword = firstname.substring(0, 2).toUpperCase() + lastFourDigit + lastname.substring(0, 2).toLowerCase();\n      }\n        return initialPassword;\n      }\n\n\n       \n      //Return a randomly generated string for password \n        public String getRandomGeneratedString() {\n            String randomString = \"\";\n            String charset = \"ABNCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890!@#$%^&*()_+-={}[]:;<>?,./\";\n            int index;\n            int len;\n            Random rnd = new Random();\n            len = charset.length();\n            for (int count = 0; count < 18; count++) {\n                index = rnd.nextInt(len);\n                randomString += charset.charAt(index);\n            }\n            return randomString;\n        }\n\n\n/* *******   MAIN **** */\n\n     String currentLcs = \"\";\n            String calculatedOu = \"\";\n            String employeeOu =\"\";\n            String bodOu = \"\";\n            String consultantOu=\"\";\n            String terminatedOu=\"\";\n            String lastFourDigit=\"\";\n            String agencyWorkerOu=\"\";\n            String loaOu=\"\";\n\n              String firstname = \"\";\n              String lastname = \"\";\n\n\n            String nativeIdentity = \"\";\n            String employeeType = \"\";\n            String nonEmployeeLast4SSN = \"\";\n            String employeeId = \"\";\n            String adMailNickName = \"\";\n\n  \n\n  if (plan != null)\n  {\n                      \n            if(identity != null)\n            {\n   \n                terminatedOu = \"OU=Deprovisioned,OU=Users,OU=Managed Objects,DC=agloan,DC=ads\";\n                employeeOu = \"OU=Zone1,OU=Users,OU=Managed Objects,DC=agloan,DC=ads\";\n                bodOu = \"OU=BOD,OU=Zone2,OU=Users,OU=Managed Objects,DC=agloan,DC=ads\";\n                consultantOu = \"OU=NonEmployees,OU=Zone1,OU=Users,OU=Managed Objects,DC=agloan,DC=ads\";\n                agencyWorkerOu = \"OU=NonEmployees,OU=Zone1,OU=Users,OU=Managed Objects,DC=agloan,DC=ads\";\n                loaOu = \"OU=LOA,OU=Users,OU=Managed Objects,DC=agloan,DC=ads\";\n                \n\n                currentLcs = (String) identity.getAttribute(\"cloudLifecycleState\");\n \n                lastFourDigit = identity.getAttribute(\"lastFourDigit\");\n\n                employeeType = identity.getAttribute(\"employeeType\");\n\n                 firstname = identity.getStringAttribute(\"firstname\");\n                 lastname = identity.getStringAttribute(\"lastname\");\n\n                  calculatedOu = identity.getAttribute(\"adoulocation\");\n             \n            }\n\n            //If plan is not null then get the account request\n            List accountRequests = plan.getAccountRequests();\n\n            if(accountRequests != null)\n            {\n                for(AccountRequest accountRequest : accountRequests)\n                {   \n                    AccountRequest.Operation op = accountRequest.getOperation();\n                    log.debug(\"Nchs AD Provisioning Rule: currentLcs state: \"+currentLcs);\n                     nativeIdentity = accountRequest.getNativeIdentity();\n\n                      String samaccountname = identity.getStringAttribute(\"adloginid\");\n                      if(samaccountname == null && accountRequest.getAttributeRequest(\"sAMAccountName\") != null) {\n                       samaccountname = accountRequest.getAttributeRequest(\"sAMAccountName\").getValue();\n               }    \n\n                          //store it on the arguments of the account request for connector after rules\n          if(samaccountname != null && !samaccountname.isEmpty()) {\n          addAttributeToAccountRequestArguments(accountRequest, \"samaccountname\", samaccountname);\n                  }\n\n                  //Request Email\n         if((AccountRequest.Operation.Create == op || AccountRequest.Operation.Modify == op) && (\"newemployee\".equalsIgnoreCase(currentLcs) || \"active\".equalsIgnoreCase(currentLcs) || \"prehire\".equalsIgnoreCase(currentLcs))) {\n          AttributeRequest memberOfReq = accountRequest.getAttributeRequest(\"memberOf\");\n          \n                 }\n\n                    if((AccountRequest.Operation.Create == op) && (\"newemployee\".equalsIgnoreCase(currentLcs) || \"active\".equalsIgnoreCase(currentLcs) || \"prehire\".equalsIgnoreCase(currentLcs))) {\n\n                                accountRequest.add(getAttributeRequest(\"AC_NewParent\", calculateActiveOU(accountRequest, employeeType)));\n                      \n                                String password = getInitialPassword(firstname, lastname, lastFourDigit);\n                              \n                    }\n\n                  \n\n                    //MODIFY\n                    if(op != null && AccountRequest.Operation.Modify.equals(op)){\n                         AttributeRequest memberOfReq = accountRequest.getAttributeRequest(\"memberOf\");\n                    \n                      \n                    }\n\n                    //Move OU if any of the following is change: employeeType\n                    if(\"active\".equalsIgnoreCase(currentLcs) && AccountRequest.Operation.Modify.equals(op)) {\n                        AttributeRequest employeeTypeReq = accountRequest.getAttributeRequest(\"employeeType\");\n                        if( employeeTypeReq != null && employeeTypeReq.getValue().toString().equalsIgnoreCase(\"Employee\") )\n                         {\n                            log.info(\"AgLoan AD Before Provisioning change OU\");\n                            accountRequest.add(newAttributeRequest(\"AC_NewParent\", calculatedOu)); //moving OU when employeeType changes to Employee\n                         }\n                    }\n\n\n                    if(op != null && AccountRequest.Operation.Enable.equals(op))\n                    {\n                        \n                          log.info(\"AgLoan AD Before Provisioning change OU Rehire\");\n                            accountRequest.add(newAttributeRequest(\"AC_NewParent\", calculatedOu)); //moving OU when rehire                        \n                        \n                    }\n                    \n\n                    if(op != null && \"loa\".equalsIgnoreCase(currentLcs)  && AccountRequest.Operation.Modify.equals(op))\n                    {\n                        \n                          log.info(\"AgLoan AD Before Provisioning change OU loa\");\n                            accountRequest.add(newAttributeRequest(\"AC_NewParent\", loaOu)); //moving OU when loa                        \n                        \n                    }\n\n\n                    // DISABLE\n                    if(op != null && AccountRequest.Operation.Disable.equals(op))\n                    {\n                        \n                            Object currentGroups = idn.getRawAccountAttribute(accountRequest.getApplicationName(), accountRequest.getNativeIdentity(), \"memberOf\");\n                                \n                           accountRequest.add(newAttributeRequest(\"AC_NewParent\", terminatedOu));\n    \n                                // Set termination date in the description\n                                Date date = new Date();\n    \n                                SimpleDateFormat descriptionDateFormatter = new SimpleDateFormat(\"MM/dd/yyyy HH:mm:ss\");\n                                String descriptionDate = descriptionDateFormatter.format(date);\n                                accountRequest.add(newAttributeRequest(\"description\", \"Deprovisioned on \" + descriptionDate + \" by AGLOAN\\\\svc_IQService\" ));\n         \n    \n                                //Scramble the password \n                                String scrambledPassword  = getRandomGeneratedString();\n                                accountRequest.add(newAttributeRequest(\"password\", scrambledPassword));                       \n                        \n                    }\n                }\n            }           \n        log.info(\"Agloan AD Provisioning Rule is complete\");\n  }\n  \n   "
		},
		"attributes": {
			"sourceVersion": "2024-10-17 03:08:06"
		},
		"id": "38d5c9a466934eaeada0f31e6c9ccbb8",
		"name": "Agloan_Active Directory BeforeProvisioning",
		"created": "2024-10-11T14:15:43.849Z",
		"modified": "2024-10-17T03:08:07.320Z"
	}
}

mgrant · December 21, 2024, 1:35pm

I took a quick look and noticed the below. We had two employeeType: Board of Directors which should return them to the bodOU but the rule has else if(employeeType.equalsIgnoreCase(\"Board of Director\")) {\n return bodOu;\n }

The employeeType for Board of Directors is missing an “s” in the rule so it appears that it can not calculate the OU for the bodOU.

public String calculateActiveOU(AccountRequest accountRequest, String employeeType) {\n if(employeeType.equalsIgnoreCase(\"Employee\")) {\n return employeeOu;\n } else if(employeeType.equalsIgnoreCase(\"Consultant\")) {\n return consultantOu;\n } else if(employeeType.equalsIgnoreCase(\"Staffing Agency Worker\")) {\n return agencyWorkerOu;\n } else if(employeeType.equalsIgnoreCase(\"Board of Director\")) {\n return bodOu;\n } \n }\n\n\n\n public void addAttributeToAccountRequestArguments

iamnithesh · December 21, 2024, 1:39pm

Are you sure any one of the conditions will always be true in this?

If none of the conditions is true, then this method does not return anything resulting in “void” situation.

mgrant · December 23, 2024, 12:47pm

Hi Nithesh,

Thanks for chiming in. Yes sir each of these conditions will always be true. These are the only employee Types we have. This is what led me to think the if(employeeType.equalsIgnoreCase(\"Board of Director\")) {\n return bodOu may be the issue since in our Source of Truth we have

`EMPLOYEE_TYPE:Board_Member`

being transformed to employeeType:Board of Directors` for the OU in AD. In regards to the void left if the condition is not true. For items not true would you suggest placing a catch all OU for conditions that are not true?

iamnithesh · December 23, 2024, 3:20pm

Yes a catchall condition is always a good option

officialamitguptaa · December 23, 2024, 3:36pm

@mgrant -

The short answer is that your method calculateActiveOU(...) is missing a return statement for some path, causing BeanShell (and thus SailPoint) to interpret it as returning void in certain situations.

Why It Happens

In your code:

public String calculateActiveOU(AccountRequest accountRequest, String employeeType) {
    if(employeeType.equalsIgnoreCase("Employee")) {
        return employeeOu;
    } else if(employeeType.equalsIgnoreCase("Consultant")) {
        return consultantOu;
    } else if(employeeType.equalsIgnoreCase("Staffing Agency Worker")) {
        return agencyWorkerOu;
    } else if(employeeType.equalsIgnoreCase("Board of Director")) {
        return bodOu;
    }
}

Java requires all code paths to return something if the method signature has a return type (in this case, String).
If employeeType does not match any of these if/else blocks, then this method returns nothing, which is effectively void.
BeanShell sees that it can’t convert void to a String, so you get an error like:

Can't assign void value to java.lang.String

How To Fix It

You must ensure there’s a return statement for every path. Usually, people add an else block or a default return at the bottom of the method, like so:

public String calculateActiveOU(AccountRequest accountRequest, String employeeType) {
    if (employeeType.equalsIgnoreCase("Employee")) {
        return employeeOu;
    } else if (employeeType.equalsIgnoreCase("Consultant")) {
        return consultantOu;
    } else if (employeeType.equalsIgnoreCase("Staffing Agency Worker")) {
        return agencyWorkerOu;
    } else if (employeeType.equalsIgnoreCase("Board of Director")) {
        return bodOu;
    } else {
        // Return a default, or even `null` if that makes sense in your logic
        return "";
    }
}

You could also throw an exception or log an error if an unexpected employeeType is provided. The point is, Java must be able to see a clear return value for every branch.

Once you add that default return branch, the error should go away.

mgrant · December 23, 2024, 5:06pm

Hi Amit,

You confirmed what I suspected with the

 } else if (employeeType.equalsIgnoreCase("Board of Director")) {
        return bodOu;

it is not directly matching because it is missing the "s" so it returns a void then errors out.

Having a “catch all” or like you mentioned "adding a default return to handle the void is a great recommendation as well. Much appreciated this helps alot.

mgrant · December 23, 2024, 5:08pm

Thanks everyone for helping me troubleshoot this error. You all have assisted me greatly with finding a root cause to the error and developing a strategy to ensure it does not happen again. Truly appreciate everyone’s input.

system · February 21, 2025, 5:09pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
SailPoint SaaS Rule Validator v3.0.49 - Trouble shooting ISC Discussion and Questions rules , identity-security-cloud , rule-development-kit	7	163	August 17, 2025
Issue with Before Provisioning Rule and ObjectNotFoundException during User Leaver Process ISC Discussion and Questions identity-security-cloud , provisioning	30	921	July 23, 2024
Developing and Testing Identity Attribute Rules in Identity Security Cloud Community Blog rules , identity-security-cloud	0	355	February 19, 2025
Email Generation duplication processing via ISC cloud rule and its debugging best practices ISC Discussion and Questions rules , identity-security-cloud	10	265	December 6, 2024
IdentityNow Before Creation Rule implementation issue ISC Discussion and Questions rules , identity-security-cloud , connectors	6	140	December 23, 2024

AD Account BP Rule error

Why It Happens

How To Fix It

Related topics