Create Account operation with Entitlements in webservice Connector

hema171989 · May 5, 2025, 4:31pm

I have to Create account with entitlement from request center. However the request is successful but the entitlement is going null and there is no record created in entitlement table but account is created. But when hardcoded - it does create entry in bot user and entitlement table.

This is the body I used:
{
“uid”: “$plan.nativeIdentity$”,
“firstName”: “$plan.firstName$”,
“lastName”: “$plan.lastName$”,
“ibus”: [
“ADM”
],
“roles”: [
“$plan.roles$”
],
“lastLogin”: “$plan.lastLogin$”,
“isActive”: true,
}

I have selected Create Account With “Ent” Request.
The plan.roles variable does not seem to be getting populated correctly.
I have also tried $plan.memberOf.roles$ instead of $plan.roles$
Any help is appreciated.

Also I need to pass second entitlement ibus field where I have hard coded “ADM” in my body from request center. Can this be done without rule ?

jrossicare · May 6, 2025, 12:58am

Hi

Check your provisioning plan for Create, to ensure you are sending the entitlements

GET /beta/sources/<source id>/provisioning-policies

Also, you can use the following code in your Web Service Before Operation rule to dump all info it has

            if (provisioningPlan != null) {
                //This part is just info dump:
                for (int i = 0 ; i < this.variables.length ; i++) {
                   String varName = this.variables[i];
                   Object varValue = null;
                   try {
                      if ("transient".equals(varName))
                         varValue = "[reserved word]";
                      else
                         varValue = eval(varName);
                   } catch (Exception ex) {
                      varValue = "[eval exception]";
                   }
                   String varClass = "void";
                   
                   if ((void != varValue) && (null != varValue))
                      varClass = varValue.getClass().getSimpleName();

                   if (void == varValue)
                       log.error(logPrefix + "x " + varName + " = void");
                   else if (null == varValue)
                       log.error(logPrefix + "x " + varName + " = null");
                   else
                       log.error(logPrefix + "x " + varName + " (" + varClass + ") = " + varValue);
                }
                log.error(logPrefix + "Full URL  = " + requestEndPoint.getFullUrl() );
                log.error(logPrefix + "Ctxt URL  = " + requestEndPoint.getContextUrl() );
                log.error(logPrefix + "AfterRule = " + requestEndPoint.getAfterRule() );
                log.error(logPrefix + "Method    = " + requestEndPoint.getHttpMethodType() );
                log.error(logPrefix + "Opr. Type = " + requestEndPoint.getOperationType() );
                log.error(logPrefix + "IDN AppID = " + application.getId() );



                for (AccountRequest accReq : Util.iterate(provisioningPlan.getAccountRequests())) {
                    for (ProvisioningPlan.AttributeRequest attReq : Util.iterate(accReq.getAttributeRequests())) {
                        log.error(logPrefix + "attReq: " + attReq.getName() + " => " + attReq.getValue() + " (" + attReq.getValue().getClass() + ")");

NeetuDixit · May 6, 2025, 2:37am

Hi Hema,

check what attribute you have configured in your Webservice Entitlement types and ensure to use the same attribute which you have configured as “Entitlement ID” i.e. you need to pass Entitlement ID in your create body.

Thanks,

Chaithu9110 · May 6, 2025, 2:44am

{
“uid”: “$plan.nativeIdentity$”,
“firstName”: “$plan.firstName$”,
“lastName”: “$plan.lastName$”,
“ibus”: $plan.ibus$,
“roles”: $plan.roles$,
“lastLogin”: “$plan.lastLogin$”,
“isActive”: true
}
make sure that in provisioning form all values are present

neeraj99 · May 6, 2025, 10:06am

@hema171989
Enable this configuration in the webservices connector that should do the job.

Create account with "ENT" request

You can find this in Additional Setting

iamnithesh · May 6, 2025, 12:24pm

[] might be causing the issue here. If roles is a multivalued type and multiple roles are requested at a time, plan.roles will be in the form of an array and additional [] in your body will be causing the issue.

You would need a BeforeOperation rule to check if the roles is of type List or String and accordingly update the body of your request

Sivakrishna1993 · May 7, 2025, 4:03am

Make sure your schema attribute for group object and account attributes should be same. And in response body it should match.

NagatejaK · May 15, 2025, 1:48pm

How to know what and all attribute I can use from plan object ?

kanusha9 · May 20, 2025, 6:01am

1.Make sure that the Access Profile (for roles/entitlements) is properly mapped to the application entitlements.
2.If you’re requesting an Access Profile in the Request Center and expecting it to populate plan.roles, make sure the Access Profile includes entitlements with role as the entitlement type.
3.Review the Request Center to Account Request Mapping
4.Ensure you are mapping the entitlement properly in the Account Create form, i.e., plan.roles should match the exact entitlement attribute name.
5.Try validating the format. Don’t use quotes around the variables if they resolve to arrays. Wrapping them in quotes turns them into a string.
4. Logging/Debugging the Plan
You can log the plan using debug rules or inside your connector logic to inspect what’s being passed.

hema171989 · May 28, 2025, 4:23pm

yes. unchecking multivalued for entitlement in schema fixed the issue. But it is not pulling all the entitlements. So as you mentioned I’m using BeforeOperation Rule to check how it is added in the payload. But it is not printing any logs in ccg.log.

ManvithaNalabolu06 · May 29, 2025, 6:45am

This usually happens when the entitlement in the request isn’t properly linked to the source or access profile. Check if Verify Entitlement is Aggregated, Ensure It’s Linked, Request Format, Case Sensitivity,
Test with ID. Check and let me know