Capture Provision Exception

IdentityIQ (IIQ) IIQ Discussion and Questions
, ,
1

Which IIQ version are you inquiring about?

[8.3]

Please share any images or screenshots, if relevant.

Please share any other relevant files that may be required (for example, logs).

Share all details about your problem, including any error messages you may have received.

Hi All, I am integrating an AIX direct connector. WHile trying to delete an account I am getting this exception
"<?xml version='1.0' encoding='UTF-8'?>

sailpoint.connector.InvalidResponseException: [ InvalidResponseException ] [ Possible suggestions ] Make sure standalone command works with the UNIX terminal. The standalone command is - /usr/sbin/userdel "bbxxxxx" [ Error details ] Command failed. Status: 1 , Output: Error 0x16 occurred.Warning: User (bbxxxxx) Keystore not removed. "] "

The Application team says, that account is getting deleted, but their custom shell script returns this as a warning.

But issue is Sailpoint thinks it as an invalid response and does not delete it from sailpoint DB. After account aggregation only the account gets deleted from sailpoint.

Question is How can I capture this exception, so that I can supress this ?

2

@sahoos9

Do you have any before provisioning rule or after provisioning rule currently on the application, can you share those along with application.xml

3

Below is my PreProvision Rule

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Rule PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<Rule created="1728911226897" id="0a2da00d92501ea681928b23b8114fcb" language="beanshell" modified="1730167808464" name="Pre-Provisioning - BWA_Unix-PRDU019" type="BeforeProvisioning">
<Description>An IdentityIQ server-side rule that is executed before the connector's provisioning method is called. This gives the customer the ability to customize or react to anything in the ProvisioningPlan BEFORE it is sent to the underlying connectors used in provisioning.

This rule will be called for any application found in a plan that also has a configured 'beforeProvisioningRule' configured.

The plan can be updated directly in the rule by reference and does not need to return the plan.</Description>
<Signature> <Inputs> <Argument name="log" type="org.apache.commons.logging.Log"> <Description> The log object associated with the SailPointContext. </Description> </Argument> <Argument name="context" type="sailpoint.api.SailPointContext"> <Description> A sailpoint.api.SailPointContext object that can be used to query the database if necessary. </Description> </Argument> <Argument name="plan"> <Description> The ProvisioningPlan object on its way to the Connector. </Description> </Argument> <Argument name="application"> <Description> The application object that references this before/after script. </Description> </Argument> </Inputs> </Signature>
`
import sailpoint.object.ProvisioningPlan;
import sailpoint.object.ProvisioningPlan.AttributeRequest;
import sailpoint.object.ProvisioningPlan.Operation;
import sailpoint.tools.GeneralException;
import sailpoint.object.Identity;
import java.io.IOException;
import java.util.List;
import org.apache.log4j.Logger;
import sailpoint.object.Application;
import sailpoint.object.Custom;
import sailpoint.tools.Util;
import java.util.ArrayList;
import sailpoint.object.Link;
import sailpoint.object.Application;
import sailpoint.api.IdentityService;
import sailpoint.object.Attributes;
import sailpoint.object.ProvisioningPlan.AccountRequest;
import sailpoint.object.ProvisioningPlan.AttributeRequest;
import sailpoint.object.ProvisioningPlan.AccountRequest.Operation;

Boolean override_disable = true;
Boolean override_delete = true;
Boolean override_enable = true;
List attributeRequests=new ArrayList();
List newGroups=new ArrayList();

log.error("Project before Provisioning Error: " + plan.toXml() );

Custom c =new Custom();
String appName=application.getName();

public boolean checkIfLastRole(String empId,List groupstoBeRemoved){

List existingGroups=new ArrayList();
boolean isLastRole=false; 

Identity identity = context.getObjectByName(Identity.class,empId);
Application application = context.getObjectByName(Application.class,appName);
IdentityService idServ = new IdentityService(context);
List tempLinks = idServ.getLinks(identity, application);
if(null != tempLinks &amp;&amp; !tempLinks.isEmpty()){
  for(Link link : tempLinks){
    existingGroups =  link.getAttribute("groups");

  }

}

if(!existingGroups.isEmpty()){
  existingGroups.removeAll(groupstoBeRemoved);

  if(existingGroups.contains("staff") ){
			log.error ("LastRole");
    isLastRole=true;
  }

}

return isLastRole;

}

if(plan != null){
log.error("Inside ");
String empId=plan.getNativeIdentity();
List newAttList = new ArrayList();
List emptyAccountRequest=new ArrayList();
log.error("identity "+empId);
Identity identity = plan.getIdentity();
String attrName=null;
Object groupName = null;
if(identity != null) {
log.error("Inside2 ");

  String type = identity.getType();
  String bwid=identity.getAttribute("bw_network_id");
  // Abort provisioning for Non-Human Identity
  if(!type.equals("Human")) {
    log.error("Rule::CBA Pre-Provisioning - BWA Unix::Aborting attempted Provisioning for Non-Human Identity " + identity.getName());
    plan = new ProvisioningPlan();
    return;
  }



  else
  {

    try {

      // Get the request
      List accountRequests = plan.getAccountRequests();
      if (accountRequests != null) {
        for (AccountRequest accReq : accountRequests) {
          if( null !=  accReq.getOp()  &amp;&amp; ProvisioningPlan.AccountRequest.Operation.Modify == accReq.getOperation()){
            String appName = (String)accReq.getApplication();
            Application tempApp = (Application)context.getObjectByName(Application.class,appName);
            hostname=tempApp.getAttributeValue("host");
            attributeRequests=accReq.getAttributeRequests();
            if(Util.size(attributeRequests) > 0 ){
              for(AttributeRequest attrReq: attributeRequests){
                attrName=attrReq.getName();                    
                groupName = attrReq.getValue();
                if(groupName != null){
                  if(groupName instanceof List){
                    newGroups = (List) groupName;
                  }
                  if(groupName instanceof String){
                    newGroups.add((String)groupName);
                  }	
                }

                if("groups".equalsIgnoreCase(attrName) &amp;&amp; "Remove".equalsIgnoreCase(attrReq.getOp().toString())){

                  log.error("Groups Requested to be Removed - "+newGroups);  
                  newAttList.add(attrReq);
                  isLastRole=checkIfLastRole( empId, newGroups);
                  if(isLastRole){
                    log.error("Role(s) Being Removed is the last role user has access to, delete te acccount");

                    accReq.setAttributeRequests(emptyAccountRequest);
                    accReq.setOperation(ProvisioningPlan.AccountRequest.Operation.Delete);               
                    break;
                  }
                }else{
                  newAttList.add(attrReq);
                }
                accReq.setAttributeRequests(newAttList);
              }
            }                

          }
        }
      }

    } catch (Exception e) {
      log.error("Error captured"+e.getMessage());
    }

  }

}
log.error("Project after Provisioning : " + plan.toXml() );

}

`

--------------After Provision Rule---------------------

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Rule PUBLIC "sailpoint.dtd" "sailpoint.dtd"> <Rule created="1730091473859" id="0a2da00d929d14758192d17cdbc33cba" language="beanshell" modified="1730197003617" name="CBA_Rule_After-Provisioning - BWA_Unix-PRDU019" type="AfterProvisioning"> <Description>An IdentityIQ server-side rule that is executed after the connector's provisioning method is called. This gives the customer the ability to customize or react to anything in the ProvisioningPlan AFTER it has been sent out to the specific applications.

This rule will be called for any application found in a plan that also has a configured 'afterProvisioningRule' configured.</Description>
<Signature> <Inputs> <Argument name="log" type="org.apache.commons.logging.Log"> <Description> The log object associated with the SailPointContext. </Description> </Argument> <Argument name="context" type="sailpoint.api.SailPointContext"> <Description> A sailpoint.api.SailPointContext object that can be used to query the database if necessary. </Description> </Argument> <Argument name="plan"> <Description> The ProvisioningPlan object on its way to the Connector. </Description> </Argument> <Argument name="application"> <Description> The application object that references this before/after script. </Description> </Argument> <Argument name="result"> <Description> The ProvisioningResult object returned by the connectors provision method. This can be null and in many cases the connector will not return a result and instead will annotate the plan's ProvisioningResult either at the plan or account level. </Description> </Argument> </Inputs> </Signature>
`import sailpoint.object.ProvisioningPlan;
import sailpoint.object.ProvisioningPlan.AttributeRequest;
import sailpoint.object.ProvisioningPlan.Operation;
import sailpoint.tools.GeneralException;
import sailpoint.object.Identity;
import java.io.IOException;
import java.util.List;
import org.apache.log4j.Logger;
import sailpoint.object.Application;
import sailpoint.object.Custom;
import sailpoint.tools.Util;
import java.util.ArrayList;
import sailpoint.object.Link;
import sailpoint.object.Application;
import sailpoint.api.IdentityService;
import sailpoint.object.Attributes;
import sailpoint.object.ProvisioningPlan.AccountRequest;
import sailpoint.object.ProvisioningPlan.AttributeRequest;
import sailpoint.object.ProvisioningPlan.AccountRequest.Operation;
import sailpoint.object.ProvisioningResult;

log.error("plan: "+ plan.toXml());
log.error("Aferplan: ");

if (null != plan) {

for (AccountRequest accReq : Util.safeIterable(plan.getAccountRequests())) {
	String acc_NativeIdentity = accReq.getNativeIdentity();

	ProvisioningResult provisioningResult = accReq.getResult();

		log.error("plan.getresult status"+ provisioningResult);
		
	
	if (null != provisioningResult) {
		log.error("plan.getresult = {}"+ provisioningResult.toXml());

		if ("BWA_Unix - PRDU019".equalsIgnoreCase(accReq.getApplication())
				&amp;&amp; accReq.getOperation() == ProvisioningPlan.AccountRequest.Operation.Delete) {

			log.error("provisioningResult.getStatus() "+ provisioningResult.getStatus());
			if ("committed".equalsIgnoreCase(provisioningResult.getStatus())) {
				log.error("entered commited check After Prov Rule");

				
				Identity identity = context.getObjectByName(Identity.class, plan.getNativeIdentity());
				
			}
		}
	}
}

}

log.error("Project after Provisioning Error: " + plan.toXml() );`

The ProvisioningResult Object returns Null when the account is deleted and I get the exception.

sailpoint.connector.InvalidResponseException: [ InvalidResponseException ] [ Possible suggestions ] Make sure standalone command works with the UNIX terminal. The standalone command is - /usr/sbin/userdel “bbxxxxx” [ Error details ] Command failed. Status: 1 , Output: Error 0x16 occurred.Warning: User (bbxxxxx) Keystore not removed. "] "

So how can I handle this exception?

4

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.