Assignment Rule Not Adding Identities to Role

Which IIQ version are you inquiring about?

Version 8.4

Share all details related to your problem, including any error messages you may have received.

HI All

I am trying to add identities to a business role. I have created an assignment rule which appears to be returning the right value but the identities never get assigned to a role after a refresh. The IdentitySelector Role is attached to the business role. I am hoping to get some help to determine what I am missing on this one.

On the refresh I have process events, refresh assigned detected roles, refresh role metadata, refresh id attribs, refresh identity entitlements and a few other things

Here is a code snippet from the assignment rule

boolean eadAccExists = (eadLink != null);
boolean myappApprovedDN = false;

if (eadAccExists) {

          if (eadLink.getAttribute("distinguishedName") != null) {

              String dn = eadLink.getAttribute("distinguishedName");
              String lowerCaseDN = dn.trim().toLowerCase();
            
              myappApprovedDN  = (lowerCaseDN.contains("ou=users,ou=abc") ||
              lowerCaseDN.contains("ou=nadc,ou=xyz") ||
               lowerCaseDN.contains("ou=users,ou=superduper") ||
	  lowerCaseDN.contains("ou=users,ou=mycity") ||
	  lowerCaseDN.contains("ou=provision,ou=users,ou=yellow") );
          }

     }

boolean result = myappApprovedDN;
log.error("xxx returning result: " + result); // prints out xxx returning result: true
return result;

Hello,

In the Roles → Role Selected → Role Information do you have the Assignment Rule configured using this Rule?

Yes

The rule is selected on the role in the assignment rule

I don’t know in detail about your Rule configuration. You should have this kind of Signature.

  <Signature returnType="boolean">
    <Inputs>
      <Argument type="identity">
        <Description>
          The identity.
        </Description>
      </Argument>
      <Argument type="roleName">
        <Description>
              The name of the sailpoint.object.Bundle (role) that is being
              selected for the Identity.
              If roles are not applicable to this Identity selection, this value
              will be void.
       </Description>
      </Argument>
    </Inputs>
    <Returns>
      <Argument type="success">
        <Description>
         True if the selection was successful; false otherwise.
       </Description>
      </Argument>
    </Returns>
  </Signature>

I had the return name wrong. I have updated it to match but the role still does not get attached.

Updated code

boolean success = ApprovedDN || AccExists;
log.error("xxx returning success: " + success); // prints out xxx returning success: true
return success;

The rule has this.

The log object associated with the SailPointContext. A sailpoint.api.SailPointContext object that can be used to query the database if necessary. The identity. True if identity meets criteria; false otherwise.

Seems the fault is not in the Rule. Try this Refresh configuration:

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE TaskDefinition PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<TaskDefinition name="Provision" resultAction="Rename" subType="task_item_type_identity" type="Identity">
  <Attributes>
    <Map>
      <entry key="TaskDefinition.runLengthAverage" value="93"/>
      <entry key="TaskDefinition.runLengthTotal" value="49698"/>
      <entry key="TaskDefinition.runs" value="533"/>
      <entry key="TaskSchedule.host" value=""/>
      <entry key="checkHistory" value="false"/>
      <entry key="checkPolicies" value="false"/>
      <entry key="correlateEntitlements" value="true"/>
      <entry key="correlateScope" value="true"/>
      <entry key="deleteDormantGroups" value="true"/>
      <entry key="disableManagerLookup" value="false"/>
      <entry key="doManualActions" value="false"/>
      <entry key="enableManualAccountSelection" value="false"/>
      <entry key="enablePartitioning" value="false"/>
      <entry key="excludeInactive" value="false"/>
      <entry key="filter" value=""/>
      <entry key="filterNeedsRefresh" value="false"/>
      <entry key="forceWorkflow" value="true"/>
      <entry key="includeWindowModified" value="false"/>
      <entry key="keepInactiveViolations" value="false"/>
      <entry key="markDormantScopes" value="false"/>
      <entry key="noAutoCreateScopes" value="false"/>
      <entry key="noMaintenanceWindowRetry" value="false"/>
      <entry key="noResetNeedsRefresh" value="false"/>
      <entry key="noRoleDeprovisioning" value="false"/>
      <entry key="processTriggers" value="false"/>
      <entry key="promoteAttributes" value="true"/>
      <entry key="promoteManagedAttributes" value="true"/>
      <entry key="provision" value="true"/>
      <entry key="refreshCompositeApplications" value="true"/>
      <entry key="refreshGroups" value="false"/>
      <entry key="refreshIdentityEntitlements" value="true"/>
      <entry key="refreshManagerStatus" value="true"/>
      <entry key="refreshRoleMetadata" value="true"/>
      <entry key="refreshScorecard" value="true"/>
      <entry key="refreshThreads" value="12"/>
      <entry key="synchronizeAttributes" value="false"/>
      <entry key="taskCompletionEmailNotify" value="Disabled"/>
      <entry key="taskCompletionEmailRecipients"/>
      <entry key="taskCompletionEmailTemplate"/>
    </Map>
  </Attributes>
  <Description>Perform a provision of select identities.</Description>
  <Parent>
    <Reference class="sailpoint.object.TaskDefinition" id="" name="Identity Refresh"/>
  </Parent>
</TaskDefinition>

Most important do you have “Provision assignments” selected in your refresh task options?

Thanks Luis

This is working now.