We are using a custom source for a webservices connector to make REST API calls to a target application. For the create account operation, we are using a before operation rule to perform a couple of staging actions. One of those staging actions requires obtaining information about the target user’s identity.
In other SailPoint posts I’ve seen references to users retrieving the identity from the provisioning plan by calling plan.getIdentity(). That does not work for us. provisioningPlan.getIdentity() works, but returns null. Here is my full code:
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Map;
import java.util.concurrent.TimeUnit;
import connector.common.JsonUtil;
import connector.common.Util;
import sailpoint.connector.webservices.EndPoint;
import sailpoint.connector.webservices.WebServicesClient;
import sailpoint.object.Application;
import sailpoint.object.Identity;
import sailpoint.object.ProvisioningPlan;
import sailpoint.object.ProvisioningPlan.AccountRequest;
import sailpoint.object.ProvisioningPlan.AttributeRequest;
// Get attributes from the provisioning plan for safe creation
if (provisioningPlan != null) {
Identity spID = provisioningPlan.getIdentity();
if (spID == null) {
log.info("ID is null");
}
String email = spID.getAttribute("email");
log.info(logPrefix + email);
}
The if statement succeeds in this case, and getAttribute() results in a null pointer error. Am I missing something here? Or is the Identity not accessible in a before operation rule on the WebServices connector?
Unfortunately, this usually only works with internal connectors (like AD, LDAP, etc.). In a Web Services connector, provisioningPlan.getIdentity() often returns null because the identity isn’t automatically bound to the provisioning plan.
In your case, you’ll likely need to manually look up the identity by name, like this:
String idName = provisioningPlan.getIdentityName();
if (idName != null) {
Identity spID = context.getObjectByName(Identity.class, identityName);
if (spID != null) {
String email = spID.getEmail(); // or may be: spID.getAttribute("email")?
} else ....
............
}
What is args in this context? I don’t think that’s accessible either.
The primary question is how do we get the identity from the provisioning plan in an ISC before operation rule? I don’t see that clearly documented anywhere. The only thing that does work for me is:
userId = provisioningPlan.getNativeIdentity();
But that’s not enough, I need to get a list of accounts associated with the user. What is the correct way to call SailPoint and retrieve additional details about the user identity?
You really can’t. A web services before operation rule is a connector rule executed on your VA which cannot query info back in your ISC tenant. Only a Before Provisioning rule (or other cloud rules) have access to these sorts of objects because they are cloud rules executed in the tenant as opposed to the VA for a connector. This is probably what you have seen before
@jimjohnson WebServices before operation rule is a connector rule which will not have identity object in the plan. If you want to retrieve any identity attributes in connector rules, you need to have them added to provisioning plan using before provisioning rule.
But what if inside the before rule you make an HTTP call to the ISC API using the Get Identity Details request and get the attributes from the response?
In connector rules, you usually cannot reference the Identity object. If you want a specific identity attribute in your rule, you might want to either pass it into the plan arguments from before provisioning rule, or use the provisioning policies to inject it.
But what if inside the before rule you make an HTTP call to the ISC API using the Get Identity Details request and get the attributes from the response?
This is exactly what we ended up doing. We had a secure way to pass API credentials into the before operation rule, so we just added logic to call the SailPoint API, get a bearer token, then make calls to get the user identity and associated accounts.
But it’s clunky and overly complex. It would be nicer if SailPoint had a way to configure API credentials in the source config, or another method to call the SailPoint API from a before operation rule without having to deal with the authentication piece in code.
I’m new-ish to SailPoint, but all of this feels poorly documented between before provisioning/before operation rules and IIQ vs. ISC. It feels like SailPoint pushes things to the developer forum in lieu of documenting it properly.