Disable account getting failed using beforeprovisioning rule

Facing Below error, while disabling account, we are using beforeprovisioning rule.

UseCase: if identities have same email address and using same Active Directory account.

If any identity gets inactive in ISC , so the rule check other identities are active or not , if any identity active, the rule must stop disabling account.

RuleExecutionException (ruleName=MATEActiveDirectoryBeforeProvisioning): BSFException: The application script threw an exception: java.lang.ClassCastException: Cannot cast sailpoint.rule.IdentityRuleDTO to sailpoint.object.Identity BSF info: MATEActiveDirectoryBeforeProvisioning at line: 0 column: columnNo, caused by org.apache.bsf.BSFException: The application script threw an exception: java.lang.ClassCastException: Cannot cast sailpoint.rule.IdentityRuleDTO to sailpoint.object.Identity BSF info: MATEActiveDirectoryBeforeProvisioning at line: 0 column: columnNo

// DISABLE handling

if (ProvisioningPlan.ObjectOperation.Disable.equals(accountRequest.getOp())) {

        boolean isAnyIdentityActive = false;

        if (email != null) {

            List identities = idn.findIdentitiesBySearchableIdentityAttribute("email", "Equals", email, "uid");

            if (identities != null && !identities.isEmpty()) {

                for (sailpoint.rule.Identity idVal : identities) {

                    String searchidnlifecycleState = idVal.getAttribute("cloudLifecycleState") != null ? idVal.getAttribute("cloudLifecycleState").toString() : "";

                    log.info("Found identity lifecycleState = " + searchidnlifecycleState);

                    if ("active".equalsIgnoreCase(searchidnlifecycleState)) {

                        isAnyIdentityActive = true;

                        break;

                    }

                }

            }

        }

        if (isAnyIdentityActive) 

        {

            log.info("MATE-AD :: Active identity exists. Preventing AD disable for shared account.");

            if(accountRequest.getAttributeRequests()!=null){

                Iterator it=accountRequest.getAttributeRequests().iterator();

                while(it.hasNext()){

                    AttributeRequest ar = it.next();

                    if("memberOf".equalsIgnoreCase(ar.getName())){

                        it.remove();

                        break;

                    }

                }

            }

            accountRequest.setOp(ProvisioningPlan.ObjectOperation.Modify);

        }

        else 

        {

            log.info("MATE-AD :: No active identities found. Allowing AD disable.");

        }

    }

for your import, are you importing sailpoint.object.Identity?
import sailpoint.object.Identity

Are you importing sailpoint.rule.Identity?
import sailpoint.rule.Identity

I’m assuming you want to use sailpoint.rule.Identity.

yes, I am sailpoint.object.Identity

if i use import sailpoint.rule.Identity getting below error

image1717×480 20.1 KB

is this works below code lines

// DISABLE handling
if (ProvisioningPlan.ObjectOperation.Disable.equals(accountRequest.getOp())) {
boolean isAnyIdentityActive = false;
if (email != null) {
List identities = idn.findIdentitiesBySearchableIdentityAttribute(“email”, “Equals”, email, “uid”);
if (identities != null && !identities.isEmpty()) {
for (Object obj : identities) {
// In IDN, this is not sailpoint.object.Identity
// It’s a generic identity object with getAttribute support
Map identityMap = (Map) obj; // often returned as a Map<String,Object>
String searchLifecycleState = identityMap.get(“cloudLifecycleState”) != null
? identityMap.get(“cloudLifecycleState”).toString()
: “”;
log.info("Found identity lifecycleState = " + searchLifecycleState);
if (“active”.equalsIgnoreCase(searchLifecycleState)) {
isAnyIdentityActive = true;
break;
}
}
}

@gogubapu As per this documentation - Identity

Identity class does not has the method getAttribute(). It has the method getLifecycleState(). Just try to use the method directly in the sailpoint.rule.Identity Object

If you want to use the SailPoint.Object.Identity, then get the identity object directly from plan. Below are the examples,

sailpoint.object.Identity identity = plan.getIdentity();
String sAMAccountName = identity.getAttribute(“adUsername”);

sailpoint.rule.Identity foundIdentity = idn.getIdentityById(“uid”);
String email = foundIdentity.getEmail();

Hi @vidya_kompala_au ,

I want check other identities who have same email address, if having same emil address then need to check lifecycle state is active on any identity then stop disabling AD account. if all identities are inactive then disable AD account.

if (ProvisioningPlan.ObjectOperation.Disable.equals(accountRequest.getOp())) {

    boolean isAnyIdentityActive = false;

    if (email != null) {

        List identities = idn.findIdentitiesBySearchableIdentityAttribute("email", "Equals", email, "uid");

        if (identities != null && !identities.isEmpty()) {

            for (sailpoint.rule.Identity idVal : identities) {

                String searchidnlifecycleState = idVal.getAttribute("cloudLifecycleState") != null ? idVal.getAttribute("cloudLifecycleState").toString() : "";

                log.info("Found identity lifecycleState = " + searchidnlifecycleState);

                if ("active".equalsIgnoreCase(searchidnlifecycleState)) {

                    isAnyIdentityActive = true;

                    break;

                }

            }

        }

    }

    if (isAnyIdentityActive) 

    {

        log.info("MATE-AD :: Active identity exists. Preventing AD disable for shared account.");

        if(accountRequest.getAttributeRequests()!=null){

            Iterator it=accountRequest.getAttributeRequests().iterator();

            while(it.hasNext()){

                AttributeRequest ar = it.next();

                if("memberOf".equalsIgnoreCase(ar.getName())){

                    it.remove();

                    break;

                }

            }

        }

        accountRequest.setOp(ProvisioningPlan.ObjectOperation.Modify);

    }

    else 

    {

        log.info("MATE-AD :: No active identities found. Allowing AD disable.");

    }

}

It should be fine. Try changing the above line to

String searchidnlifecycleState = idVal.getLifecycleState() != null ? idVal.getLifecycleState().toString() : “”;

boolean isAnyIdentityActive = false;

if (email != null) {

    List identities = idn.findIdentitiesBySearchableIdentityAttribute("email", "Equals", email, "uid");

    if (identities != null && !identities.isEmpty()) {

        for (int i=0;i<identities.size();i++) {

            String searchidnlifecycleState = identities.get(i).getLifecycleState() != null ? identities.get(i).getLifecycleState() : "";

            log.info("Found identity lifecycleState = " + searchidnlifecycleState);

            if ("active".equalsIgnoreCase(searchidnlifecycleState)) {

                isAnyIdentityActive = true;

                break;

            }

        }

    }

}

if (isAnyIdentityActive) 

{

    log.info("MATE-AD :: Active identity exists. Preventing AD disable for shared account.");

    if(accountRequest.getAttributeRequests()!=null){

        Iterator it=accountRequest.getAttributeRequests().iterator();

        while(it.hasNext()){

            AttributeRequest ar = it.next();

            if("memberOf".equalsIgnoreCase(ar.getName())){

                it.remove();

                break;

            }

        }

    }

    accountRequest.setOp(ProvisioningPlan.ObjectOperation.Modify);

}

else 

{

    log.info("MATE-AD :: No active identities found. Allowing AD disable.");

}

}