Can't retrieve Identity in Web Services Before Operation Rule

Identity Security Cloud (ISC) ISC Discussion and Questions
,
1

Hello everyone,

We are using a custom source for a webservices connector to make REST API calls to a target application. For the create account operation, we are using a before operation rule to perform a couple of staging actions. One of those staging actions requires obtaining information about the target user’s identity.

In other SailPoint posts I’ve seen references to users retrieving the identity from the provisioning plan by calling plan.getIdentity(). That does not work for us. provisioningPlan.getIdentity() works, but returns null. Here is my full code:

import java.util.ArrayList;
import java.util.HashMap;
import java.util.Map;
import java.util.concurrent.TimeUnit;
import connector.common.JsonUtil;
import connector.common.Util;
import sailpoint.connector.webservices.EndPoint;
import sailpoint.connector.webservices.WebServicesClient;
import sailpoint.object.Application;
import sailpoint.object.Identity;
import sailpoint.object.ProvisioningPlan;
import sailpoint.object.ProvisioningPlan.AccountRequest;
import sailpoint.object.ProvisioningPlan.AttributeRequest;

// Get attributes from the provisioning plan for safe creation
if (provisioningPlan != null) {
    Identity spID = provisioningPlan.getIdentity();

    if (spID == null) {
        log.info("ID is null");
    }

    String email = spID.getAttribute("email");
    log.info(logPrefix + email);  
}

The if statement succeeds in this case, and getAttribute() results in a null pointer error. Am I missing something here? Or is the Identity not accessible in a before operation rule on the WebServices connector?

2

Unfortunately, this usually only works with internal connectors (like AD, LDAP, etc.). In a Web Services connector, provisioningPlan.getIdentity() often returns null because the identity isn’t automatically bound to the provisioning plan.

In your case, you’ll likely need to manually look up the identity by name, like this:

String idName = provisioningPlan.getIdentityName();

if (idName != null) {
    Identity spID = context.getObjectByName(Identity.class, identityName);
    if (spID != null) {
        String email = spID.getEmail();  // or may be: spID.getAttribute("email")?
   } else ....
     ............
}

Good Luck!

3

Thanks Siddika,

Is “context” available in ISC? I get an error trying to use it:

  • Error: Illegal value…Remove reference to context
4

My bad! The context is only available in IdentityIQ!!

In your case, may be you can extract attributes from the provisioning plan’s AccountRequest, not from the Identity object something like:

ProvisioningPlan plan = (ProvisioningPlan) args.get("plan");

if (plan != null) {
    String identityName = plan.getIdentityName();  
    List accountRequests = plan.getAccountRequests();
    
if (accountRequests != null && !accountRequests.isEmpty()) {
        for (Object obj : accountRequests) {
            if (obj instanceof ProvisioningPlan.AccountRequest) {
                ProvisioningPlan.AccountRequest acctReq = (ProvisioningPlan.AccountRequest) obj;
                List attrs = acctReq.getAttributeRequests();
                
                for (Object attrObj : attrs) {
                    if (attrObj instanceof ProvisioningPlan.AttributeRequest) {
                        ProvisioningPlan.AttributeRequest attr = (ProvisioningPlan.AttributeRequest) attrObj;
                        if ("email".equalsIgnoreCase(attr.getName())) {
                            String email = (String) attr.getValue();
                            ........
                        }
                    }
                .
             .
}

FYI: If the provisioning plan includes the attributes, you can reliably access those user identity attributes in your Before Operation Rule.

Hope that works!

5

What is args in this context? I don’t think that’s accessible either.

The primary question is how do we get the identity from the provisioning plan in an ISC before operation rule? I don’t see that clearly documented anywhere. The only thing that does work for me is:

userId = provisioningPlan.getNativeIdentity();

But that’s not enough, I need to get a list of accounts associated with the user. What is the correct way to call SailPoint and retrieve additional details about the user identity?

6

You really can’t. A web services before operation rule is a connector rule executed on your VA which cannot query info back in your ISC tenant. Only a Before Provisioning rule (or other cloud rules) have access to these sorts of objects because they are cloud rules executed in the tenant as opposed to the VA for a connector. This is probably what you have seen before

7

@jimjohnson WebServices before operation rule is a connector rule which will not have identity object in the plan. If you want to retrieve any identity attributes in connector rules, you need to have them added to provisioning plan using before provisioning rule.

Check this post: