CertificationSignOffApprover throwing error

Which IIQ version are you inquiring about?

Version 8.3

Please share any other relevant files that may be required (for example, logs).

logs (22.9 KB)

Share all details related to your problem, including any error messages you may have received.

Hi All,

We are trying to run a targeted certification with 2 level of access reviews, 1st to manager and 2nd to the VP in the certifier hierarchy.
But we are getting the below error, while retrieving the identity object using “certifier.getManager()”.
“the application script threw an exception: org.hibernate.LazyInitializationException: could not initialize proxy [sailpoint.object.Identity#] - no Session BSF info: AWS Test at line: 0 column: columnNo”
The basic code we are trying is as below:

import sailpoint.object.Certification;
import sailpoint.object.Identity;
import org.apache.log4j.Logger;
import org.apache.log4j.Level;
Logger log = Logger.getLogger("rule.AWS_Test");
log.setLevel(Level.DEBUG);

Map results = new HashMap();
log.debug("*******Prajtest1*******");
List history = certification.getSignOffHistory();
                
log.debug("*******Prajtest2*******" + history.size());
if (history == null ||  history.size() < 2 )
{
	log.debug("*******Prajtest3*******");
	Identity identity = certifier.getManager();
	String certifierMgmtLvl = certifier.getAttribute("title");
	log.debug("*******Prajtest4*******"+certifierMgmtLvl);
	boolean foundVP = false;
    
	log.debug("*******Prajtest5*******");
	Identity idenVP = null;
  	while(!foundVP)
	{	
		log.debug("*******Prajtest6*******");
		idenVP = certifier.getManager();
		log.debug("*******Prajtest7*******"+ idenVP.getName());
		String vpMgmtLvl = idenVP.getAttribute("title");
		log.debug("*******Prajtest8*******");
		if(vpMgmtLvl!=null && vpMgmtLvl.startsWith("VP"))
		{
			log.debug("*******Prajtest9*******");
			foundVP = true;
			results.put("identity",identity);
			return results;		    		
		}				
		log.debug("*******Prajtest10*******");
		idenVP = idenVP.getManager();  	
		log.debug("*******Prajtest11*******");					
	}
	log.debug("*******Prajtest12*******");
 	return null;
}
else
{
	log.debug("*******Prajtest13*******");
	return null;
 }

Any suggestions would be helpful!

Thanks
Prajna

Identity identity = certifier.getManager();

Try not to store and directly use it. let me know if that works or not. if you paste while code also then it would help to understand.

Thanks,

Hi Pavin,

I have already attached the code we are currently trying to develop. We tried the below as well
Identity identity = certifier.getManager();
String certifierMgmtLvl = identity .getAttribute(“title”); ---- This line again gives the same error.

Try this,
Get the name of manager then get the object

String managerName =certifier.getManager().getName();
Identity managerObj = context.getObjectByName(Identity.class, managerName);

Hi Abhinav,

I updated the CertificationSignOffApprover Rule below with the code you mentioned. Still getting the same error. Attaching the logs

import sailpoint.object.Certification;
import sailpoint.object.Identity;
import org.apache.log4j.Logger;
import org.apache.log4j.Level;
Logger log = Logger.getLogger("rule.AWS_Test");
log.setLevel(Level.DEBUG);

Map results = new HashMap();
log.debug("*******Prajtest1*******");
List history = certification.getSignOffHistory();
                
log.debug("*******Prajtest2*******" + history.size());
if (history == null ||  history.size() < 2 )
{
	log.debug("*******Prajtest3*******");
  String managerName =certifier.getManager().getName();
  log.debug("*******Prajtest3-1a*******");
  log.debug("*******Prajtest3-1*******"+managerName);
	Identity managerObj = context.getObjectByName(Identity.class, managerName);
   log.debug("*******Prajtest3-2*******");
	//Identity identity = certifier.getManager();
	String certifierMgmtLvl = managerObj.getAttribute("title");
	log.debug("*******Prajtest4*******"+certifierMgmtLvl);
	boolean foundVP = false;
    
	log.debug("*******Prajtest5*******");
	Identity idenVP = null;
  	while(!foundVP)
	{	
		log.debug("*******Prajtest6*******");
		idenVP = certifier.getManager();
		log.debug("*******Prajtest7*******"+ idenVP.getName());
		String vpMgmtLvl = identity.getAttribute("title");
		log.debug("*******Prajtest8*******");
		if(vpMgmtLvl!=null && vpMgmtLvl.startsWith("VP"))
		{
			log.debug("*******Prajtest9*******");
			foundVP = true;
			results.put("identity",identity);
			return results;		    		
		}				
		log.debug("*******Prajtest10*******");
		idenVP = idenVP.getManager();  	
		log.debug("*******Prajtest11*******");
						
	}
	log.debug("*******Prajtest12*******");
 	return null;
}
else
{
	log.debug("*******Prajtest13*******");
	return null;
 }

Logs:

2024-01-30T17:51:26,834 DEBUG http-nio-8080-exec-2 rule.AWS_Test:-1 - *******Prajtest1*******
2024-01-30T17:51:26,834 DEBUG http-nio-8080-exec-2 rule.AWS_Test:-1 - *******Prajtest2*******1
2024-01-30T17:51:26,835 DEBUG http-nio-8080-exec-2 rule.AWS_Test:-1 - *******Prajtest3*******
2024-01-30T17:51:26,836 ERROR http-nio-8080-exec-2 org.apache.bsf.BSFManager:451 - Exception:
java.security.PrivilegedActionException: null
Caused by: org.apache.bsf.BSFException: The application script threw an exception: org.hibernate.LazyInitializationException: could not initialize proxy [sailpoint.object.Identity#0ad0dcac81d417cf8181d894148576c8] - no Session BSF info: AWS_Test at line: 0 column: columnNo

try :

String certifierMgmtLvl = certifier.getManager() != null ? certifier.getManager().getAttribute("title") : null;

check if that works.

It always keeps giving error with anything involving certifier.getManager(). Updated the initial part of the mentioned code as below

log.debug("*******Prajtest2*******" + history.size());
if (history == null ||  history.size() < 2 )
{
	log.debug("*******Prajtest3*******");
  /*String managerName =certifier.getManager().getName();
  log.debug("*******Prajtest3-1a*******");
  log.debug("*******Prajtest3-1*******"+managerName);
	Identity managerObj = context.getObjectByName(Identity.class, managerName);*/
   log.debug("*******Prajtest3-2*******");
	//Identity identity = certifier.getManager();
	String certifierMgmtLvl = certifier.getManager() != null ? certifier.getManager().getAttribute("title") : null;
	log.debug("*******Prajtest4*******"+certifierMgmtLvl);
	boolean foundVP = false;
	log.debug("*******Prajtest5*******");
	Identity idenVP = null;

same exception

ssssssssssssss2024-01-30T20:52:36,800 DEBUG http-nio-8080-exec-6 rule.AWS_Test:-1 - *******Prajtest1*******
2024-01-30T20:52:36,801 DEBUG http-nio-8080-exec-6 rule.AWS_Test:-1 - *******Prajtest2*******1
2024-01-30T20:52:36,802 DEBUG http-nio-8080-exec-6 rule.AWS_Test:-1 - *******Prajtest3*******
2024-01-30T20:52:36,803 DEBUG http-nio-8080-exec-6 rule.AWS_Test:-1 - *******Prajtest3-2*******
2024-01-30T20:52:36,803 ERROR http-nio-8080-exec-6 org.apache.bsf.BSFManager:451 - Exception:
java.security.PrivilegedActionException: null

try 

String certIdnId =certifier.getId();
Identity certObj = context.getObjectById(Identity.class, certIdnId);
String certifierMgmtLvl = certObj.getManager() != null ? certObj.getManager().getAttribute("title") : null;

Hi Pravin,

That part of the code works but looks like I cannot save the certifier’s manager in an identity object, I am not sure how to find the VP hierarchy if it cannot be saved.

import sailpoint.object.Certification;
import sailpoint.object.Identity;
import org.apache.log4j.Logger;
import org.apache.log4j.Level;
Logger log = Logger.getLogger("rule.AWS_Test");
log.setLevel(Level.DEBUG);

Map results = new HashMap();
log.debug("*******Prajtest1*******");
List history = certification.getSignOffHistory();
                
log.debug("*******Prajtest2*******" + history.size());
if (history == null ||  history.size() < 2 )
{
	log.debug("*******Prajtest3*******");

	//Identity identity = certifier.getManager();
  String certIdnId =certifier.getId();
  log.debug("*******Prajtest3-a*******");
	Identity certObj = context.getObjectById(Identity.class, certIdnId);
  log.debug("*******Prajtest3-b*******");
	String certifierMgmtLvl = certObj.getManager() != null ? certObj.getManager().getAttribute("title") : null;
  log.debug("*******Prajtest3-c*******");
	log.debug("*******Prajtest4*******"+certifierMgmtLvl);
	boolean foundVP = false;
    
	log.debug("*******Prajtest5*******");
	Identity idenVP = null;
  	while(!foundVP)
	{	
		log.debug("*******Prajtest6*******");
		idenVP = certifier.getManager();
		log.debug("*******Prajtest7*******"+ idenVP.getName());
		String vpMgmtLvl = identity.getAttribute("title");
		log.debug("*******Prajtest8*******");
		if(vpMgmtLvl!=null && vpMgmtLvl.startsWith("VP"))
		{
			log.debug("*******Prajtest9*******");
			foundVP = true;
			results.put("identity",identity);
			return results;		    		
		}				
		log.debug("*******Prajtest10*******");
		idenVP = idenVP.getManager();  	
		log.debug("*******Prajtest11*******");
						
	}
	log.debug("*******Prajtest12*******");
 	return null;
}
else
{
	log.debug("*******Prajtest13*******");
	return null;
 }

logs

2024-01-31T10:21:40,603 DEBUG http-nio-8080-exec-7 rule.AWS_Test:-1 - *******Prajtest1*******
2024-01-31T10:21:40,604 DEBUG http-nio-8080-exec-7 rule.AWS_Test:-1 - *******Prajtest2*******1
2024-01-31T10:21:40,604 DEBUG http-nio-8080-exec-7 rule.AWS_Test:-1 - *******Prajtest3*******
2024-01-31T10:21:40,605 DEBUG http-nio-8080-exec-7 rule.AWS_Test:-1 - *******Prajtest3-a*******
2024-01-31T10:21:40,606 DEBUG http-nio-8080-exec-7 rule.AWS_Test:-1 - *******Prajtest3-b*******
2024-01-31T10:21:40,608 DEBUG http-nio-8080-exec-7 rule.AWS_Test:-1 - *******Prajtest3-c*******
2024-01-31T10:21:40,608 DEBUG http-nio-8080-exec-7 rule.AWS_Test:-1 - *******Prajtest4*******Director
2024-01-31T10:21:40,609 DEBUG http-nio-8080-exec-7 rule.AWS_Test:-1 - *******Prajtest5*******
2024-01-31T10:21:40,609 DEBUG http-nio-8080-exec-7 rule.AWS_Test:-1 - *******Prajtest6*******
2024-01-31T10:21:40,610 ERROR http-nio-8080-exec-7 org.apache.bsf.BSFManager:451 - Exception:
java.security.PrivilegedActionException: null

what’s logic for VP ? he is cerifier Manager’s Manger if title match VP ?

Yes so the logic is 1st access review is assigned to manager and the 2nd review is the find the identity in the certifier’s manager hierarchy where if the title starts with “VP”, assign the 2nd review to that identity.

Try


Map results = new HashMap();
log.debug("*******Prajtest1*******");
List history = certification.getSignOffHistory();
                
log.debug("*******Prajtest2*******" + history.size());
if (history == null ||  history.size() < 2 )
{
	log.debug("*******Prajtest3*******");

	//Identity identity = certifier.getManager();
  String certIdnId =certifier.getId();
  log.debug("*******Prajtest3-a*******");
	Identity certObj = context.getObjectById(Identity.class, certIdnId);
  log.debug("*******Prajtest3-b*******");
	String certifierMgmtLvl = certObj.getManager() != null ? certObj.getManager().getAttribute("title") : null;
  log.debug("*******Prajtest3-c*******");
	log.debug("*******Prajtest4*******"+certifierMgmtLvl);
	boolean foundVP = false;
    
	log.debug("*******Prajtest5*******");
	Identity idenVP = null;
  	while(!foundVP)
	{	
		log.debug("*******Prajtest6*******");
		idenVP = certObj.getManager();
		log.debug("*******Prajtest7*******"+ idenVP.getName());
		String vpMgmtLvl = idenVP.getAttribute("title");
		log.debug("*******Prajtest8*******");
		if(vpMgmtLvl!=null && vpMgmtLvl.startsWith("VP"))
		{
			log.debug("*******Prajtest9*******");
			foundVP = true;
			results.put("identity",idenVP);
			return results;		    		
		}				
		log.debug("*******Prajtest10*******");
		//idenVP = idenVP.getManager();  // no need	
		log.debug("*******Prajtest11*******");
						
	}
	log.debug("*******Prajtest12*******");
 	return null;
}
else
{
	log.debug("*******Prajtest13*******");
	return null;
 }

Other option is,

a. Create a new certificate definition template for VP
b. Launch that certificate template when VP criteria meet. So in this case you can control what Old Reviewer took and what you have to show to VP. all items or only approved one.

I am not sure I understand the option you are suggesting.
Do you mean to run 2 different certifications? One for manager and one for VP?

yes, in that case you have full control on expiration date/reminder date, email template etc…

yeah unfortunately the business doesn’t want the certification to be like that. The 2nd reviewer should be able to see what the manager approved or revoked.

In that case, check with both options.

results.put("identity",idenVP); / 

Or

results.put("identityName",idenVP.getName());

Hi @prajna_poojari

Use the below code. This one is working for me. I have set threshold of 10 so that it won’t enter in infinite loop if someone is manager of itself. I suggest you should use threshold too.

import sailpoint.object.Identity;
Map result = new HashMap();

List history = certification.getSignOffHistory();
if (history == null || history.size() < 2) {
    String title = null;
    boolean foundVP = false;
    int count = 0;
    Identity potentialVP = null;

    result.put("identity", "spadmin");

    Identity idnObj = context.getObjectByName(Identity.class, certifier.getName());
    if (idnObj == null) return result;

    potentialVP = idnObj.getManager();
    if (potentialVP == null) return result;


    while (!foundVP && count <= 10) {
        if (potentialVP == null) return result;

        count = count + 1;
        title = potentialVP.getAttribute("title");

        if (title != null && title.startsWith("VP")) {
            foundVP = true;
            result.put("identity", potentialVP);
        } else {
            potentialVP = potentialVP.getManager();
        }
    }
    return result;
}

@prajna_poojari did you try the code?

Thanks @amishra97, I tested the code and it works without the proxy initialization error.