Entitlement Schema

Identity Security Cloud (ISC) ISC Discussion and Questions
1

We are working on a Cornerstone implementation using the Web Services connector but I having a bit of an issue with the Entitlement Schema (using /beta/sources//schemas/). In the data below, you can see that we have “ous” defined and the idea is to assign those as entitlements.

{
    "data": {
        "id": 470,
        "externalId": "910054",
        "userName": "[email protected]",
        "guid": "09b630aa-97dc-421e-88d0-ef3cfcb24633",
        "firstName": "David",
        "lastName": "Jones",
        "middleName": "R",
        "prefix": "",
        "suffix": "",
        "primaryEmail": "[email protected]",
        },
        "relations": null,
        "ous": [
            {
                "id": 209,
                "typeId": 2
            }
        ]
}

The problem is that I only have examples of “group” entitlement schemas but these come in as type “Entitlement”. Can someone assist me with creating an entitlement schema for “Entitlements” as the documentation is pretty fuzzy around this? We have nativeObjectTypes, attribute fields, and even the name but I can’t figure out how to get this setup correctly. Maybe there needs to be something set on the account schema as well?

Current entitlement schema:

{
    "nativeObjectType": "group",
    "identityAttribute": "ous",
    "displayAttribute": "name",
    "hierarchyAttribute": null,
    "includePermissions": false,
    "features": [],
    "configuration": {},
    "attributes": [
        {
            "name": "ous",
            "type": "STRING",
            "schema": null,
            "description": "OU",
            "isMulti": false,
            "isEntitlement": false,
            "isGroup": false
        },
        {
            "name": "name",
            "type": "STRING",
            "schema": null,
            "description": "OU name.",
            "isMulti": false,
            "isEntitlement": false,
            "isGroup": false
        },
        {
            "name": "typeId",
            "type": "STRING",
            "schema": null,
            "description": "Type ID",
            "isMulti": false,
            "isEntitlement": false,
            "isGroup": false
        }
    ],
    "id": "2c9180847a0bddb7017a0fee2c1f351f",
    "name": "group"
}

Thanks in advance!

2

Hey @justinrhaines, I am asking around internally to get an answer for your question.

3

Group aggregation/Entitlement aggregation fetches what’s in group schema so the attributes in group schema should be only 2 attributes. In your case under ous I see 2 attributes id and typeId.

So your group schema would have 2 attributes with any name you want assume groupId and groupTypeId. You can use these 2 attribute names in left side of response mapping in Entitlement aggregation. This concept is same as account schema. Whatever is in idn schema stays on left side and what you are fetching from end source api stays on right side.

This was more about group aggregation. Whatever you aggregate using group aggregation stays as group object. What you aggregate as part of account aggregation stays as entitlement.

There must be some relation between these 2. For example if your account schema has “OU” as entitlement and you are aggregating ou id as part of account aggregation , the same thing is coming is part of group aggregation also. If you do not define relation between account and group aggregation you would see “209” as entitlement and also as group.

To do this you need to define identityAttribute in Group schema. Whichever attribute is part of your account schema for entitlement should be marked as identity attribute in group schema.
For example, in our case groupID(part of group schema) comes as “OU” in account schema. So we mark "groupID’ as identity attribute in account schema.

Also you need to refer group schema to account schema. You need to make put call on Account schema and set something like this:

{
“name”: “projects”,
“type”: “STRING”,
“schema”: {
“type”: “CONNECTOR_SCHEMA”,
“id”: “2c91808879863acd0179888eb151239a”,
“name”: “Projects”
},
“description”: null,
“isMulti”: true,
“isEntitlement”: true,
“isGroup”: true
},

Projects is part of account schema here and it also has it’s own group schema. We are setting isGroup =true here and referring group schema id also.

Feel free to create ES case if you still need help on this.

4

Thanks @Chirag, this helped me create the correct schemas. Based on what you mentioned, I assume that an “Entitlement” schema is not possible and we are forced to stay with the “Group” schema? Thanks again!

1 Like
5

Very glad to hear this was helpful to your success, @justinrhaines! Thanks @chirag_patel for the detailed assistance on this issue!

6

Justin, Entitlement is simple object and is more of string. While group is complex object which can have n number of attributes. So you can define group schema. Even though the UI says entitlement aggregation it’s aggregating group only. The one being fetched in via account aggregation is simple string and it does not fetch all attributes which are there in group.

You can have multiple group schema also and all of them would be aggregated when you run entitlement aggregation.

Product is planning UI around group agg so this should get much simpler in future.

2 Likes
7

@chirag_patel is there any time line for this feature release?

8

@chirag_patel

We have configured the Group schema the way you described. But when I hit the entitlement Aggregation I see No configuration found for ‘Group Aggregation-(groupTypeName)’. But I have configured ‘Group Aggregation-(groupTypeName)’ as Entitlement Aggregation operation Type.

Is there any specific config we have to make.

Error details as follows.

{“stack”:“ccg”,“pod”:“stg01-useast1”,“clusterId”:“773”,“buildNumber”:“642”,“apiUsername”:“9tmV7ZjeAWp5K9Hv”,“orgType”:“staging”,“file”:“CloudPersistenceManager.java”,“messageType”:“aggregate”,“line_number”:179,"@version":1,“logger_name”:“com.sailpoint.ccg.persistence.CloudPersistenceManager”,“class”:“com.sailpoint.ccg.persistence.CloudPersistenceManager”,“clientId”:“2583”,“request_milliseconds”:“586”,“source_host”:“7dacbba021be”,“method”:“logCacheWarning”,“org”:“wayfair-sb”,“level”:“WARN”,“message”:“CCG CACHE [Application] OBJECT LOADED FROM CLOUD: GitHub Access [source] (2c9180857c5b5444017c60ecf6de5159)”,"@timestamp":“2021-11-09T20:47:27.021Z”,“thread_name”:“pool-5-thread-88”,“region”:“us-east-1”,“AppType”:“Web Services”,“Application”:“Access [source]”,“request_id”:“164e034413174ec88b80e2b8c4a051f2”,“queue”:“stg01-useast1-wayfair-sb-cluster-773”}
{“exception”:{“stacktrace”:“java.lang.RuntimeException: sailpoint.connector.ConnectorException: No configuration found for ‘Group Aggregation-Repositories’. Please add at least one operation and try again.\n\tat sailpoint.connector.webservices.v2.WebServiceFacadeV2$WebServiceIterator.hasNext(WebServiceFacadeV2.java:2014)\n\tat sailpoint.connector.ConnectorProxy$CustomizingIterator.peek(ConnectorProxy.java:1317)\n\tat sailpoint.connector.ConnectorProxy$CustomizingIterator.hasNext(ConnectorProxy.java:1344)\n\tat com.sailpoint.ccg.aggregation.ResourceObjectIterator.iterate(ResourceObjectIterator.java:79)\n\tat com.sailpoint.ccg.aggregation.ResourceObjectAggregator.aggregate(ResourceObjectAggregator.java:100)\n\tat com.sailpoint.ccg.handler.AggregateHandler$HandlerImplementation.run(AggregateHandler.java:97)\n\tat com.sailpoint.ccg.handler.AggregateHandler.invoke(AggregateHandler.java:57)\n\tat sailpoint.gateway.accessiq.CcgPipelineStreamHandler.handleStream(CcgPipelineStreamHandler.java:25)\n\tat com.sailpoint.pipeline.server.PipelineServer$InboundQueueListener$StreamHandler.run(PipelineServer.java:400)\n\tat java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)\n\tat java.util.concurrent.FutureTask.run(FutureTask.java:266)\n\tat java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)\n\tat java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)\n\tat java.lang.Thread.run(Thread.java:748)\nCaused by: sailpoint.connector.ConnectorException: No configuration found for ‘Group Aggregation-Repositories’. Please add at least one operation and try again.\n\tat sailpoint.connector.webservices.v2.WebServiceFacadeV2$WebServiceIterator.initEndpoints(WebServiceFacadeV2.java:2097)\n\tat sailpoint.connector.webservices.v2.WebServiceFacadeV2$WebServiceIterator.hasNext(WebServiceFacadeV2.java:2006)\n\t… 13 more\n”,“exception_class”:“java.lang.RuntimeException”,“exception_message”:“sailpoint.connector.ConnectorException: No configuration found for ‘Group Aggregation-Repositories’. Please add at least one operation and try again.”},“stack”:“ccg”,“pod”:“stg01-useast1”,“clusterId”:“773”,“buildNumber”:“642”,“apiUsername”:“9tmV7ZjeAWp5K9Hv”,“orgType”:“staging”,“file”:“AggregateHandler.java”,“messageType”:“aggregate”,“line_number”:116,"@version":1,“CB_version”:“252”,“logger_name”:“com.sailpoint.ccg.handler.AggregateHandler”,“class”:“com.sailpoint.ccg.handler.AggregateHandler$HandlerImplementation”,“clientId”:“2583”,“request_milliseconds”:“609”,“source_host”:“7dacbba021be”,“method”:“aggregationFailure”,“org”:“wayfair-sb”,“level”:“ERROR”,“message”:“Aggregation Error”,"@timestamp":“2021-11-09T20:47:27.044Z”,“thread_name”:“pool-5-thread-88”,“region”:“us-east-1”,“AppType”:“Web Services”,“Application”:“Access [source]”,“request_id”:“164e034413174ec88b80e2b8c4a051f2”,“CB_Type”:“connector-bundle-webservices”,“queue”:“stg01-useast1-wayfair-sb-cluster-773”}

9

Can you share source json which is fetched using new v3 apis. also share the full schema json including account/group.

10

@chirag_patel - I have shared the requested files to you. Please review and let me know if anything need to update in config in order to list the Group Aggregation-{group schema name} operation in IDN.

11

Please share all artifacts here for any communications so it helps other community members also in future.

You have configured group schema but not the actual end point. Just the way there is account schema and in source UI you have account aggregation end point, you need different end points to aggregate different group types.

Check : Multiple Group Objects section in guide here: https://community.sailpoint.com/t5/IdentityNow-Connectors/Web-Services-Source-Configuration-Reference-Guide/ta-p/78511

1 Like
12

Thank you for your response. I actually did configure the group aggregations with different endpoints as operation type as “Entitlement Aggregation” but I got error that “No configuration found for ‘Group Aggregation-(groupTypeName)”. In IIQ when we configure the group schema , we can see 4 operations for each group type and we can select the respective group operations from the drop down to configure group/ Entitlement aggregation.

  • Group Aggregation-GROUP-SCHEMA-OBJECT-TYPE
  • Get Object-GROUP-SCHEMA-OBJECT-TYPE
  • Add Entitlement-GROUP-SCHEMA-OBJECT- TYPE
  • Remove Entitlement-GROUP-SCHEMA-OBJECT-TYPE

The issue I see in IDN, when I configure new group type, operation( as listed above) not listed in connector operations list.
image
I tried to add Entitlement aggregation as below, But still I getting “No configuration found for ‘Group Aggregation-Teams’. Please add at least one operation and try again”

image
image1049×449 24 KB

please let me know if anything I missing here.

Thanks,
Suresh