Assistance Required: Issue with Entitlement Requests for IT Roles in Web Service Application

Hi All,

I am working on a web service application. I had configured the application, and it was working correctly when requests were made for either multiple entitlements or a single entitlement directly.

Below is the plan during direct entitlements were requested.

image1819×453 19 KB

The application Team requirements have changed. Now, requests will be submitted for a single IT role that includes multiple associated entitlements. (Note: I have two group objects for this purpose(roleproductcambo and Entity).) I have updated the BeforeOperationRule for both group objects accordingly. The requested entitlements, which are tagged under the IT requestable role, are being added to the user on Target system. However, the access request is failing with the following errors:

Error Exception while updating account.
Url: https://sbus.api.blackline.com/v1/users/3594/entities
Message: 409 : {“detail”:“Entities: 1306,955 or parents already assigned to user.”,“status”:409,“title”:“Conflict”}, HTTP Error Code: 409

Error Exception while updating account.
Url: https://sbus.api.blackline.com/v1/users/3594/roles-products
Message: 400 : Bad Request : {“detail”:“Product and roles already assigned:(A, 7), (C, 7)”,“status”:400,“title”:“Bad Request”}, HTTP Error Code: 400

This means the system is trying to add the same entitlements repeatedly. Could someone please guide me on how to resolve this issue? It occurs during both Create and Update operations. I have also tried updating the entitlements one by one, but the problem persists—it keeps trying to add the entitlement from the first index every time. Please advise on how this can be handled.

Here is the plan for raising a request for an IT role:

<AttributeRequest name="roleProductComboValue" op="Add" trackingId="9b0b836958ed488eae036a1ad1fe6b7d">
  <Value>
    <List>
      <String>7;A</String>
      <String>7;C</String>
    </List>
  </Value>
</AttributeRequest>

Note: For direct entitlement requests, a separate AttributeRequest is created for each entitlement. However, when a request is made for a single IT role, a single AttributeRequest is created that includes all associated entitlements. (See above)

Regards,

Venu

@Venu9000 - Here is my input

1. Set addRemoveEntInSingleReq to true - Forces SailPoint to send all entitlements in one JSON array instead of multiple calls.
2. Update JSON Body - Change the body to {“entities”: $plan.entities$} to match the array format.

Regards,

Kannan

I already tried this. since I have 2 group objects it didn’t work for both.

can you share your before operation rule for what you are using, I can have a look, and see if it handles everything.

did you Apply the Same Logic for the Entity Group Object??

@Venu9000 Could you please share your before‑operation rule? That will help us identify the exact gap.

@Venu9000 Is it possible for you to print and share the plan how it looks like? Possibly something is wrong with your before provisioning or before operation rule as well, like other’s said, please share these artefacts for review.