Add Entitlement operation in Web Service connector

Bhuvnesh_TMF · January 9, 2025, 5:37pm

Hi Folks,

I am not able to pass all the non-entitlement attributes in Add Entitlement operation for the Web service connector. So, I have 2 types of entitlements - workManagerRole & builderRole. I am using two separate add entitlement operations:

Add Entitlement-workManagerRole
Add Entitlement-workManagerRole .
The application endpoint configured as context url is same for both of these. Request Body I am using:
{ "CompanyGUID": null, "EmailAddress":"$plan.EmailAddress$", "Firstname":"$plan.Firstname$", "Surname":"$plan.Surname$", "Timezone":"$plan.Timezone$", "PreferredLanguage":"en-gb", "Username":"$plan.Username$", "UserType":1, "AllowedPacketTypes":10, "IsSSOOnly":true, "BuilderRoleGUID": "$plan.BuilderRoleGUID$", "GUID":"$plan.nativeIdentity$" }

Error :
Exception while updating account.Url: https://xxxxxx/UserManagement/UpdateUser, Message: 400 : Bad Request : {“Messages”:[{“MessageID”:312241,“RelatedObjectGUID”:“049a204b-b1e1-4231-bfd8-e5ebba314a49”,“RelatedObjectType”:312,“IsError”:true,“MessageDescription”:“Username is required.”,“Parameters”:[]},{“MessageID”:312454,“RelatedObjectGUID”:“049a204b-b1e1-4231-bfd8-e5ebba314a49”,“RelatedObjectType”:312,“IsError”:true,“MessageDescription”:“First name is required.”,“Parameters”:[]},{“MessageID”:312457,“RelatedObjectGUID”:“049a204b-b1e1-4231-bfd8-e5ebba314a49”,“RelatedObjectType”:312,“IsError”:true,“MessageDescription”:“Surname is required.”,“Parameters”:[]},{“MessageID”:312245,“RelatedObjectGUID”:“049a204b-b1e1-4231-bfd8-e5ebba314a49”,“RelatedObjectType”:312,“IsError”:true,“MessageDescription”:“EmailAddress is required.”,“Parameters”:[]},{“MessageID”:312087,“RelatedObjectGUID”:“049a204b-b1e1-4231-bfd8-e5ebba314a49”,“RelatedObjectType”:312,“IsError”:true,“MessageDescription”:“Timezone is required.”,“Parameters”:[]}],“Result”:null}, HTTP Error Code: 400

But if I pass the static values in the operation body from SailPoint it is working. This is working :
{ "CompanyGUID": null, "EmailAddress":"[email protected]", "Firstname":"David Hernando", "Surname":"Montoya Romero", "Timezone":"America/Bogota", "PreferredLanguage":"en-gb", "Username":"David Hernando Montoya Romero", "UserType":1, "AllowedPacketTypes":10, "IsSSOOnly":true, "WorkManagerRoleGUID": "$plan.WorkManagerRoleGUID$", "GUID": "$plan.nativeIdentity$" }

Seems $plan is not working. I have created UPDATE policy also, having all the plan attributes mapped there.

mkumariaas · January 9, 2025, 5:42pm

@Bhuvnesh_TMF in modify operation all these attribute will not go as those will be filter as user account already created, and i believe this api support only put.
to handle to send attribute request in modify, i have found one article which says we can user name as firstnameu, lastnameu …and so on for update policy other thing same so it will get these attribute value and pass in plan. then our plan will have and these value will be sent.
Note : before operation rule another way but there also you wont get link or identity or APi not work so u need to call api and get details and then update the body. So better pass it from modify and see if this is working.

Bhuvnesh_TMF · January 13, 2025, 9:29am

Hi @mkumariaas -

I am getting this issue with my add entitlement operations -

Add Entitlement-builderRole & 2) Add Entitlement-workManagerRole

and not update/modify operations. So, ideally update policy is not even used for these operations. But as you suggested I renamed the attributes to firstName_U, lastName_U in the update policy. It gave me same error as shared above along with message to configure the update https operation also on the connector. I configured the update operation also, but still seems $plan is not working.

Bhuvnesh_TMF · January 13, 2025, 9:41am

@mkumariaas : Web service connector - Identity Security Cloud (ISC) / ISC Discussion and Questions - SailPoint Developer Community
I read in this post that for some reason on the add entitlement operation, IDN removed all fields that were not flagged as entitlements or were not the native Identity, even thought we have a before provisioning rule to add all the necessary infomration in the plan.
To solve this issue we created a before Operation rule to add those fields in the API body.

mkumariaas · January 13, 2025, 9:43am

@Bhuvnesh_TMF yes, if that is the case u need to handle in before operation rule if there all the attribute going.
Also if you have one json body which u can handle at the time of creation for both entitlement along with create Account then select in webservice congfigurate , create account with ent it will send all the operation.
else only before operation will be helpful

Gopi2000 · January 13, 2025, 2:58pm

Hi @Bhuvnesh_TMF

You can try using a webservices before-operation rule. In this approach, fetch all the attribute requests from the plan and verify whether you can retrieve all the values in the plan. If successful, you can provide a static payload from the rule using the attribute values you’ve fetched.