Create plan adding while adding the members to AD group

IdentityIQ (IIQ) IIQ Discussion and Questions
,
1

Hello Everyone,

I am working on a requirement where I have to add members to AD group. I am able to create plan below

<ProvisioningPlan>
<AccountRequest application="AD App" nativeIdentity="CN=test,OU=test,DC=dev,DC=test,DC=com" op="Modify">
<AttributeRequest name="memberOf" op="Add" value="CN=testgroup,OU=test_POC,DC=dev,DC=test,DC=com"/>
</AccountRequest>
</ProvisioningPlan>

While I am compiling this entire plan is converting as project (expected), but adding Create plan.

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE ProvisioningProject PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<ProvisioningProject identity="myIdentity">
<Attributes>
<Map>
<entry key="doRefresh" value="false"/>
<entry key="noFiltering" value="false"/>
<entry key="noLocking" value="true"/>
<entry key="optimisticProvisioning" value="false"/>
<entry key="source" value="LCM"/>
</Map>
</Attributes>
<MasterPlan>
<ProvisioningPlan>
<AccountRequest application="AD App" nativeIdentity="CN=test,OU=test,DC=dev,DC=test,DC=com" op="Modify">
<AttributeRequest name="memberOf" op="Add" value="CN=testgroup,OU=test_POC,DC=dev,DC=test,DC=com"/>
</AccountRequest>
<Attributes>
<Map>
<entry key="source" value="LCM"/>
</Map>
</Attributes>
</ProvisioningPlan>
</MasterPlan>
<Messages>
<Message key="No account creation template for application: AD App" type="Info"/>
</Messages>
<ProvisioningPlan targetIntegration="AD App" trackingId="35e0c37b16774bXXXXXX">
<AccountRequest application="AD App" nativeIdentity="CN=test,OU=test,DC=dev,DC=test,DC=com" op="Create">
<AttributeRequest name="memberOf" op="Add" value="CN=testgroup,OU=test_POC,DC=dev,DC=test,DC=com"/>
</AccountRequest>
<Attributes>
<Map>
<entry key="source" value="LCM"/>
</Map>
</Attributes>
</ProvisioningPlan>
</ProvisioningProject>

This requested user already having the AD account in that application and I don’t have any create provisioning policies set.

How can I remove/rectify that additional create plan from the master plan.

By running the above plan getting below error

ERROR https-jsse-nio-443-exec-1 sailpoint.connector.RPCService:554 - Exception occurred while executing the RPCRequest: Errors returned from IQService. “The object already exists. 00002071: UpdErr: DSID-030503C4, problem 6005 (ENTRY_EXISTS), data 0 . HRESULT:[0x80071392] For identity: CN=test,OU=test,DC=dev,DC=test,DC=com”

Any suggestions can helps.

2

Can you run account aggregation and try after it completes

1 Like
3

Hi @Yogesh_Purini,

Try adding the identity, nativeidentity and targetintegration to the Provisioning plan as well using the below methods.

  plan.setIdentity(<identity>);
  plan.setNativeIdentity(<nativeIdentity>);
  plan.setTargetIntegration(<application>);
4

Hi @Jarin_James,

Thanks for the suggestion, but plan contain multiple account requests. I mean I have to add multiple identities to the group at same time. In this case how I can set the identity and nativeIdentity?

5

I would advise to have 1 plan per identity. It might contain multiple accounts, but those should/would be for the same identity.

Also make sure all the application accounts have been aggregated, so you can query IdentityIQ if the account already exists before provisioning of the plan :slight_smile:

– Remold

6

You can build list of plans (one plan per identity) and then either via step replicator (if this is in workflow) or separate loop you can trigger provisioning for each identity.

This is also much more efficient from performance point of view instead of one huge plan.

7

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.