Bulk AccessProfile tool - entitlementList is not properly formatted

Identity Security Cloud (ISC) ISC Discussion and Questions
,
1

Hello,

I was playing around with the Bulk AccessProfile utility tool, and when executing the Ruby script, I receive the following error:

INFO : Role Importer Tool : >>> Processing line #1 : task createAccessProfile <<<
INFO : Access Profile Creation : Creating/Updating Access Profile
ERROR : Access Profile Creation : entitlementList is not properly formatted, it should be attr1:ent1;attr2:ent2, the provided value is : “SLP-GroupA - Access Group”
ERROR : Access Profile Creation : Line 1 : There is a problem with provided values, possible problems are : name is not present, description not present, source not present or does not exist, owner not present or does not exist, entitlement list not properly formatted or an entitlement does not exist in the system.

This is my first time utilizing the tool, and I am not fairly sure why it is failing. The .csv file has the following:

createAccessProfile,BulkProfile Test,Testing bulk tool,Active Directory (domain.name),SLP-GroupA - Access Group,Admin.Username

Per SailPoint documentation, the format of the entitlement seems to be fine. I can confirm the entitlement does exist. I manually enter the name, so there shouldn’t be any weird characters. I didn’t see anyone else reporting similar issues within the developer community.

Any input would be appreciated it.

Thank you!

2

Hello Ricardo,

Try reading read.md file inside the zip the folder for using this tool. Documentation given on community portal is of older version.

Try specifying entitlements in the following way:

attribute1:entitement1-name ; attribute2:entitlement2-name

createAccessProfile,BulkProfile Test,Testing bulk tool,Active Directory (domain.name),attribute1:SLP-GroupA - Access Group,Admin,

Following image might help:
Amba

1 Like
3

I get a similar issue. I am not entirely certain what the attribute1:entitement1-name ; attribute2:entitlement2-name sytax or format is looking for here

4

more specifically I get the "those entitlements were not found [“EntitlementName”] error when the entitlements name is spelled corrected and verified within the source listed.
I am not sure what specifically is an entitlement and what an attribute name is here

5

Hello Christian,

Can you provide more details about the error you are experiencing? This may help in troubleshooting.

6

The access profile gets created but I believe I am entering the format for the entitlements incorrectly
Log file: INFO : Role Importer Tool : >>> Processing line #1 : task createAccessProfile <<<
INFO : Access Profile Creation : Creating/Updating Access Profile
INFO : Access Profile Creation : Getting Entitlements IDs for Source AD-XXX (1 entitlements requested)
WARNING : Access Profile Creation : those entitlements were not found [“IT-XXX-AD”]
INFO : Access Profile Creation : Found 0 out of 1 wanted entitlements
INFO : Access Profile Creation : TEST-TEST already exists and will be updated
INFO : Access Profile Update : TEST-TEST updated Successfully
INFO : Access Profile Creation : Access Profile TEST-TEST creation successfully

csv file first few columns:
createAccessProfile TEST-TEST this is a test AD-XXX attribute1:IT-XXX-AD Identity.admins

7

Hello Mehul,

Your suggestion fixed the issue that I was having originally. However, similar to Christian, I am receiving the same error that the entitlement was not found. I have confirmed that my source, along with the entitlement name is spelled correctly, and it does exists. I can also view that entitlement within the SLP portal if searching for it manually.

When running the script, the access profile is created, but without the specified entitlement. I tried adding quotes to it in case the “-” was causing issues, but it threw an error about the formatting.

I am attaching a screenshot of the error that I am getting.

Thank you

Screenshot 2024-03-01 at 4.09.58 PM
Screenshot 2024-03-01 at 4.09.58 PM1557×675 288 KB

8

Hello Ricardo,

Each entitlement (object) has an attribute and a value associated with it. As highlighted with yellow in the image below:

am2
am2570×536 28.4 KB

You just need to check the attribute and value of the entitlements that you want to add to the access profile, then pass the attribute:value for each entitlement separated by semicolon.
For example: from the shared image, entitlement(object) has attribute equals to groups and value equals to xyz, so command in csv file would be:
createAccessProfile,BulkProfile Test,Testing bulk tool,test-source,groups:xyz,Admin,

for multiple entitlements:
createAccessProfile,BulkProfile Test,Testing bulk tool,test-source,groups:xyz1;groups:xyz2;groups:xyz3,Admin.Username

1 Like
9

Hello Christian,

The above post may also help you resolve your issue.

1 Like
10

Please note that this roleImporter ruby script wont work after March, as it uses old /cc and /v2 API’s that are being decommissioned/turned off.

11

Hello Jason,

Current version 10 (updated on 2024-01-24), SailPoint have almost replaced most of the cc API endpoints with Beta or V3 API within the ruby script, but there are still some cc API’s.

I think they would update the remaining cc API’s before they get deprecated.

12

Thanks for the update!

1 Like
13

Hello Mehul,

Thank you for the suggestion. In my case, the “value” field is the canonical name (CN) of the Active Directory group, which includes commas. As a result, it confuses the Ruby script into thinking that those are associated with the different header values such as “Require User Request Comments”.

I tried adding double quotes, but I get the following error:

:/Ruby32-x64/lib/ruby/3.2.0/csv/parser.rb:1077:in `parse_quotable_robust': Illegal quoting in line 1. (CSV::MalformedCSVError)
        from C:/Ruby32-x64/lib/ruby/3.2.0/csv/parser.rb:1007:in `block in parse_quotable_loose'
        from C:/Ruby32-x64/lib/ruby/3.2.0/csv/parser.rb:52:in `block in each_line'
        from C:/Ruby32-x64/lib/ruby/3.2.0/csv/parser.rb:49:in `each_line'
        from C:/Ruby32-x64/lib/ruby/3.2.0/csv/parser.rb:49:in `each_line'
        from C:/Ruby32-x64/lib/ruby/3.2.0/csv/parser.rb:963:in `parse_quotable_loose'
        from C:/Ruby32-x64/lib/ruby/3.2.0/csv/parser.rb:406:in `parse'
        from ./roleImporter.rb:in `each'

Using single quotes, I receive a slightly different error:

INFO    : Role Importer Tool : >>> Processing line #1 : task createAccessProfile <<<
INFO    : Access Profile Creation : Creating/Updating Access Profile
ERROR   : Access Profile Creation : Line 1 : There is a problem with provided values, possible problems are : name is not present, description not present, source not present or does not exist, owner not present or does not exist, entitlement list not properly formatted or an entitlement does not exist in the system.

I tried different formats for the CSV file:

createAccessProfile,BulkProfile Test,Testing bulk tool,Active Directory (domain.name),attribute1:CN=SLP-NAME - GROUP NAME,OU=OU_NAME,OU=OU_NAME,OU=SailPoint Sandbox,DC=DOMAIN,DC=DOMAIN, Admin.Username

createAccessProfile,BulkProfile Test,Testing bulk tool,Active Directory (domain.name),attribute1:'CN=SLP-NAME - GROUP NAME,OU=OU_NAME,OU=OU_NAME,OU=SailPoint Sandbox,DC=DOMAIN',DC=DOMAIN, Admin.Username

createAccessProfile,BulkProfile Test,Testing bulk tool,Active Directory (domain.name),attribute1:"CN=SLP-NAME - Group NAME,OU=OU_NAME,OU=OU_NAME,OU=SailPoint Sandbox,DC=DOMAIN',DC=DOMAIN", Admin.Username

createAccessProfile,BulkProfile Test,Testing bulk tool,Active Directory (domain.name),"attribute1:CN=SLP-NAME - Group NAME,OU=OU_NAME,OU=OU_NAME,OU=SailPoint Sandbox,DC=DOMAIN',DC=DOMAIN", Admin.Username

I also tried replacing “attribute1” with “memberOf”, as well as “groups”, but I am still running into the same issues mentioned above.

Any suggestions?

Thank you,
Ricardo T.

Screenshot 2024-03-04 at 10.52.31 AM
Screenshot 2024-03-04 at 10.52.31 AM1194×343 13.7 KB

14

Thank you for the update. Syntax wise the read-me file and other additional notes makes it a troubleshooting process to figure out the required information for each column. I am running into a similar issue with createRole. createAccesProfile syntax/details have been ironed out per above comment.

1 Like
15

FYI, I believe this tool uses V2 APIs (or it did when I last downloaded it).

You can open the script and look for /v2/.

I believe these APIs deprecate at the end of the month.

16

Hi Chad,

Thank you for the heads up. As far as I can tell, this is using V3. I downloaded it from SLP site a few weeks ago. I don’t see any mention of /v2, only /v3 (e.g., IDN.api_get(endpoint:“/v3/roles?count=true&limit=#{limit}&offset=#{offset}”,headerKey:“X-Total-Count”)).

Thank you,
Ricardo T.

17

Great news! I was worried that tool was going away with the v2 deprecations.

18

It’s important to note that the update to v3 also has added a significant number of additional features.

We used to have separate scripts for Create Application, etc. They have all been added to this single script.

The HTML documentation has not yet been udpated. The Readme in the download lists these out, along with details.

19

Hello Ricardo,

Please try Specifying in the following way, it worked for me:

createAccessProfile,BulkProfile Test,Testing bulk tool,Active Directory (domain.name),"memberOf:CN=SLP-NAME - GROUP NAME,OU=OU_NAME,OU=OU_NAME,OU=SailPoint Sandbox,DC=DOMAIN,DC=DOMAIN",Admin.Username

You can also try editing .csv file using Microsoft Excel:

AMB
AMB1346×144 34.1 KB

20

Hello Christian,

Can you share more details about the error you are getting while using createRole ?