After upgrading from 8.2p4 to 8.4p2, noticing issue in identity mapping behavior

IdentityIQ (IIQ) IIQ Discussion and Questions
1

Which IIQ version are you inquiring about?

IdentityIQ8.4p2

Share all details about your problem, including any error messages you may have received.

We use Create Identity quicklink to create contractors in customer environment.
There is a custom attribute emailRequired which has the mapping as follows:
emailRequired ----> Email Required from the SuccessFactors application.

However, this mapping is not applicable for contractors as they do not have SuccessFactors application account associated to them.

In 8.2p4, we could see the AttributeMetaDatas have entry like this when a new contractor is created:

However, in 8.4p2, we could see the AttributeMetaDatas have entry like this after a new contractor is created:

Due to this, emailRequired attribute is getting removed in contractors created after upgrade to 8.4p2.

We have also noticed, that this is not the case with other attributes which are having more than 1 mapping.
Please let me know if this is a known bug in 8.4p2.

Thanks & Regards,
Milina Phalke

3

this was as fix in 8.4p2

IIQTC-465
     Extended attributes on identity pages now accurately reflect mapping 
     changes between applications, including scenarios where the newly 
     mapped application contains no value for the attribute.

Source : s3.distribution.sailpoint.com/IdentityIQ_Releases/8.4/8.4p2/identityiq-8.4p2-README.txt

4

Hi Ranjan,

Thanks for looking into the issue and sharing your inputs.
We already have 8.4p2 deployed on our environment.
So possibly the fix does not cover the scenario mentioned here.
We will check with the support team for the same.

Thanks & Regards,
Milina Phalke

1 Like
5

when you said, " entry like this" i don’t see any data here. also when there is no contractor data in source then identity also does not maintain any data. this is fix in 8.4p2.

Or i am missing somthing here ?

6

Hi Ranjan,
I don’t see any option to update my post.

In 8.2p4, we could see the AttributeMetaDatas have entry like this:
<AttributeMetaData attribute="emailRequired" modified="1743335346769" user="A026902"/>

However, in 8.4p2, we could see the AttributeMetaDatas have entry like this: <AttributeMetaData attribute="emailRequired" source="SuccessFactors:Email Required"/>

Note: I had to add the tag content in `` to display it here. Seems that is the reason, the values are missing in the originial post.

Thanks & Regards,
Milina Phalke

7

I don’t have 8.2p4 but this is the correct format for attributeMetadata.

<AttributeMetaData attribute="emailRequired" source="SuccessFactors:Email Required"/>

It will always keeps updated the identity attribute with source changes. So don’t think it’s bug.

8

Hi Ranjan,
We are creating contractors from SailPoint and there is no source of truth for contractors.
Contractors don’t have SuccessFactors application account, so having the contractor attribute mapped to SuccessFactors application seems incorrect.
In 8.2p4, it used to store the modifiedtimestamp and the userid who modified the identity in AttributeMetaData for contractors in our customer env.
<AttributeMetaData attribute="emailRequired" modified="1743335346769" user="A026902"/>

Thanks & Regards,
Milina Phalke

9

thanks @milinaphalke

you can use global rule for emailRequired, the option i can think of. like if it’s contractor then set identity.getName();

10

Hi Ranjan,
Thanks for your suggestion.

For now, we have a workaround to add a dummy mapping. So, if there are more than 1 mapping, things are working fine even if the mapping is not applicable to the identity. Issue is only if there is 1 mapping and it is not applicable to the identity.

Meanwhile SailPoint support team is looking into the issue.

Thanks & Regards,
Milina Phalke

1 Like