Entitlement Setup Causing Provisioning to Fail for webservice connector

Identity Security Cloud (ISC) ISC Discussion and Questions
,
1

I’m currently working on a webservice connector (REST) and running into a issue related to entitlements and account creation.

  • We have three separate endpoints:
    → Account creation: POST /users
    → Role assignment: POST /roles/{roleId}/users/{accountId}
    → Role removal: DELETE /roles/{roleId}/users/{accountId}

  • Sequence of actions:
    Role assignment: Create an account → Add Role
    Role modification: Delete Role → Add Role

  • The account schema is configured with the following attributes:
    → userid (AccountID), fullname(AccountName), email, logon, id (entitlement)

  • The role schema is also configured with id marked as an entitlement

  • Provisioning payload for account creation:

 {
    "userid": "a123456",
    "fullname": "John Doe",
    "email": "[email protected]",
    "logon": "true"
 }

I’ve created an Access profile and added an entitlement to it. However, when I try to provision an account by via an access profile request, the id (which is the role) is incorrectly being sent in the account creation payload, resulting in a 500 error from the application e.g.

{
   "id": "TesRole",
   "fullname": "John Doe",
   "email": "[email protected]",
   "logon": "true"
}

Any insights to address this issue would be greatly appreciated.

2

@rg60115 While creating the account are you also passing “id” ? if yes try to exclude it and pass only userid , fullname, email , logon in your payload

3

@rajeshs no, only those four attributes are included in the provisioning plan.

4

Hi @rg60115 ,

When you say incorrect ID is being passed, what is the actual ID that needs to be passed? Is it the entitlement ID that is in target application?

Also, could you please share the body of the POST API request for account creation from SailPoint UI?

5

Hi @JackSparrow {"userid": "a123456",..} instead of {"id": "TesRole",..}

Account creation body:

{
  "userid":"$plan.userid$",
  "fullname":"$plan.fullname$",
  "email":"$plan.email$",
  "logon" : "true" 
}
6

Does “userid” is included ana mapped correctly in create account provisioning policy?

7

Yes

[
    {
        "name": "Create Account",
        "description": "Create Account provisioning policy",
        "usageType": "CREATE",
        "fields": [
            {
                "name": "userid",
                "transform": {
                    "type": "identityAttribute",
                    "attributes": {
                        "name": "uid"
                    }
                },
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            },
            {
                "name": "email",
                "transform": {
                    "type": "identityAttribute",
                    "attributes": {
                        "name": "email"
                    }
                },
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            },
            {
                "name": "fullname",
                "transform": {
                    "type": "identityAttribute",
                    "attributes": {
                        "name": "displayName"
                    }
                },
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            },
            {
                "name": "logon",
                "transform": {
                    "type": "reference",
                    "attributes": {
                        "id": "Determine logon"
                    }
                },
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            }
        ]
    }
]
8

Hi @rg60115

Welcome to the developer community.

As userId field is maintained as the account id attribute on user schema, the **$plan.userId$** will not work.

If i understood your issue correctly, when you are trying to create the user, the user being created with the name of entitlement. If that is the case, then please check if you have the below setting checked as it should be unchecked only. You can find this setting in the additional setting tab.

image

To make sure that user gets created with proper user id I think you can either pass **$plan.nativeIdentity$** or you can create a new attribute in the provisioning policy of create and name it something other than userId and pass that in request body. something like below

Option 1

change the request body to below without changing anything else.

{
  "userid":"$plan.nativeIdentity$",
  "fullname":"$plan.fullname$",
  "email":"$plan.email$",
  "logon" : "true" 
}

If option 1 does not work, then you can use below option 2.

Option 2

  1. add new attribute accountId with similar settings to that of userId attribute and add it to the create provisioning policy. As mentioned below

[
    {
        "name": "Create Account",
        "description": "Create Account provisioning policy",
        "usageType": "CREATE",
        "fields": [
            {
                "name": "userid",
                "transform": {
                    "type": "identityAttribute",
                    "attributes": {
                        "name": "uid"
                    }
                },
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            },
 {
                "name": "accountId",
                "transform": {
                    "type": "identityAttribute",
                    "attributes": {
                        "name": "uid"
                    }
                },
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            },
            {
                "name": "email",
                "transform": {
                    "type": "identityAttribute",
                    "attributes": {
                        "name": "email"
                    }
                },
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            },
            {
                "name": "fullname",
                "transform": {
                    "type": "identityAttribute",
                    "attributes": {
                        "name": "displayName"
                    }
                },
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            },
            {
                "name": "logon",
                "transform": {
                    "type": "reference",
                    "attributes": {
                        "id": "Determine logon"
                    }
                },
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            }
        ]
    }
]
  1. Then replace $plan.userId$ with $plan.accountId$ in request body and use below body.

{
  "userid":"`$plan.accountId$",
  "fullname":"$plan.fullname$",
  "email":"$plan.email$",
  "logon" : "true" 
}

Ideally both should work but please do check for any typos i might have above and let us know if that helps.

Regards
Vikas

9

Hi @vguleria thank you for the detailed explanation. “Create Account with Ent Request” is unchecked. I tried with both options but unfortunately I get the same error.

On the Account Activity:

Message: 500 : {“error”: {“dms_version”: “10.5.1.1011”, “transaction”: “createUser”, “code”: “NRC_FAILURE”, “code_message”: “Operation Failed”}}, HTTP Error Code: 500

ACCOUNT REQUEST
Create account: a123456

ATTRIBUTE REQUESTS
Add id: TestRole
Add fullname: John Doe
Add email: [email protected]
Add logon: true

10

Hi @rg60115

Thank you for checking and confirm. Can you please share the request body and the create account policy please ?
I will check it again and let you know if i have missed something :slight_smile: .

Regards
Vikas.

11

image
image1187×551 14.4 KB

Create Account Request body:

{
  "userid":"$plan.nativeIdentity$",
  "email":"$plan.email$",
  "fullname":"$plan.fullname$",
  "isExternal":"false",
  "preferredDatabase":"DB1",
  "user_password":"Test@123456",
  "user_nos":1,
  "userid_ex":"$plan.userid_ex$",
  "pwd_never_expire":"true", 
  "logon" : "true"
}

Create Account provisioning policy:

{
    "name": "Create Account",
    "description": "Create Account provisioning policy",
    "usageType": "CREATE",
    "fields": [
        {
            "name": "userid",
            "transform": {
                "type": "identityAttribute",
                "attributes": {
                    "name": "uid"
                }
            },
            "attributes": {},
            "isRequired": false,
            "type": "string",
            "isMultiValued": false
        },
        {
            "name": "email",
            "transform": {
                "type": "identityAttribute",
                "attributes": {
                    "name": "email"
                }
            },
            "attributes": {},
            "isRequired": false,
            "type": "string",
            "isMultiValued": false
        },
        {
            "name": "fullname",
            "transform": {
                "type": "identityAttribute",
                "attributes": {
                    "name": "displayName"
                }
            },
            "attributes": {},
            "isRequired": false,
            "type": "string",
            "isMultiValued": false
        },
        {
            "name": "isExternal",
            "transform": {
                "type": "static",
                "attributes": {
                    "value": "false"
                }
            },
            "attributes": {},
            "isRequired": false,
            "type": "string",
            "isMultiValued": false
        },
        {
            "name": "preferredDatabase",
            "transform": {
                "type": "static",
                "attributes": {
                    "value": "DB1"
                }
            },
            "attributes": {},
            "isRequired": false,
            "type": "string",
            "isMultiValued": false
        },
        {
            "name": "user_password",
            "transform": {
                "type": "static",
                "attributes": {
                    "value": "Test@123456"
                }
            },
            "attributes": {},
            "isRequired": false,
            "type": "string",
            "isMultiValued": false
        },
        {
            "name": "user_nos",
            "transform": {
                "type": "static",
                "attributes": {
                    "value": "1"
                }
            },
            "attributes": {},
            "isRequired": false,
            "type": "string",
            "isMultiValued": false
        },
        {
            "name": "userid_ex",
            "transform": {
                "type": "identityAttribute",
                "attributes": {
                    "name": "uid"
                }
            },
            "attributes": {},
            "isRequired": false,
            "type": "string",
            "isMultiValued": false
        },
        {
            "name": "pwd_never_expire",
            "transform": {
                "type": "static",
                "attributes": {
                    "value": "true"
                }
            },
            "attributes": {},
            "isRequired": false,
            "type": "string",
            "isMultiValued": false
        },
        {
            "name": "logon",
            "transform": {
                "type": "reference",
                "attributes": {
                    "id": "Determine allow_logon"
                }
            },
            "attributes": {},
            "isRequired": false,
            "type": "string",
            "isMultiValued": false
        }
    ]
}

image
image1210×496 14.7 KB

12

Hi @rg60115 ,

In context URl (Add Role) please try with below URL:

/roles/$plan.entitlementValue$/users/$plan.accountId$

—if your accountID is nativeIdentity then you can use $plan.nativeIdentity$.

Thanks.

13

Hi @rg60115

Can you please try once with the 2nd approach as i mentioned above. So you can create one additional attribute in create policy with same settings as user_id attribute and then use that instead of nativeIdentity and then share the VA logs for this API call to see if the values are populating properly.

If that works and this one is not, then most likely the issue is at the account schema, but if you can give the VA logs and see how that is going to back-end then it generally helps.

I sometimes use the afterOperation webservice rules there just to see what is passed in the API payload and what was the response there. It helps in debugging the issue, so if you are confortable wrting a small rule, then we can capture what is the exact payload being passed and then identify the issue.

Btw, do you see the account populated on identity after the operation, just thinking if the account creation is successful but the add entitlement operation is throwing some error but that is unlikely the case the account activity shows that the issue is with create operation.

Thank You.
Regards
Vikas.

14

Hi @vguleria I tried with the 2nd approach, but the error message was the same. However, when I changed the "Add Role’ URL mentioned by @Rohit_Sahu to:

/roles/$plan.entitlementValue$/users/$plan.nativeIdentity$

the account got created but the role wasn’t added.

VA Logs:

{"stack":"ccg","pod":"stg01-uswest2","connector-logging":"164","Operation":"Create\\password","clusterId":"4b3dac8a1e04376d157","utilities":"1.12.2","buildNumber":"1077","apiUsername":"3ab7db29","orgType":"","file":"ProvisionHandler.java","encryption":"1.12.2","messageType":"provision","connector-bundle-identityiq":"257","line_number":144,"@version":1,"cloud-modules-api":"2.1.2","logger_name":"com.sailpoint.ccg.handler.ProvisionHandler","mantis-client":"1.12.2","class":"com.sailpoint.ccg.handler.ProvisionHandler","atlas-api":"2.7.1","va-gateway-client":"60","connector-bundle-utilities":"10","tracing":"1.12.2","clientId":"3ab7db29","request_milliseconds":"417","source_host":"1f4e25","method":"logProvisioningStart","org":"Training-sbx","level":"INFO","IdentityIQ":"8.3p4 Build 0241202-173620","message":"Provisioning [Create,password] for account [a123456] starting.","pipeline":"1.12.2","@timestamp":"2025-06-16T13:44:56.054Z","thread_name":"pool-6-thread-443","atlas-util":"2.7.1","metrics":"1.10.5","region":"us-west-2","AppType":"Web Services","Application":"TestApp [source]","request_id":"609bece9f55ac0b2db9","queue":"stg01-uswest2-Training-sbx-cluster-0e31ab4ab67b","SCIM Common":"8.0 Build 00b1f252d1b-20200225-190809"}

{"stack":"ccg","pod":"stg01-uswest2","connector-logging":"164","Operation":"Create","clusterId":"4b3dac8a1e04376d157","utilities":"1.12.2","buildNumber":"1077","apiUsername":"3ab7db29","orgType":"","file":"CloudPersistenceManager.java","encryption":"1.12.2","messageType":"provision","connector-bundle-identityiq":"257","line_number":188,"@version":1,"CB_version":"1626","cloud-modules-api":"2.1.2","logger_name":"com.sailpoint.ccg.persistence.CloudPersistenceManager","mantis-client":"1.12.2","class":"com.sailpoint.ccg.persistence.CloudPersistenceManager","ParentOperation":"ProvisioningOperation","atlas-api":"2.7.1","va-gateway-client":"60","connector-bundle-utilities":"10","tracing":"1.12.2","clientId":"3ab7db29","request_milliseconds":"1813","source_host":"1f4e25","method":"logCacheWarning","org":"Training-sbx","level":"WARN","IdentityIQ":"8.3p4 Build 0241202-173620","message":"CCG CACHE [Rule] OBJECT LOADED FROM CLOUD: AccountCreate (AccountCreate)","pipeline":"1.12.2","@timestamp":"2025-06-16T13:44:57.450Z","NativeIdentity":"a123456","thread_name":"pool-6-thread-443","atlas-util":"2.7.1","metrics":"1.10.5","region":"us-west-2","AppType":"Web Services","Application":"TestApp [source]","request_id":"609bece9f55ac0b2db9","CB_Type":"connector-bundle-webservices","queue":"stg01-uswest2-Training-sbx-cluster-0e31ab4ab67b","SCIM Common":"8.0 Build 00b1f252d1b-20200225-190809"}

{"stack":"ccg","pod":"stg01-uswest2","connector-logging":"164","Operation":"Create","clusterId":"4b3dac8a1e04376d157","utilities":"1.12.2","buildNumber":"1077","apiUsername":"3ab7db29","orgType":"","file":"Reflect.java","encryption":"1.12.2","messageType":"provision","connector-bundle-identityiq":"257","line_number":166,"@version":1,"CB_version":"1626","cloud-modules-api":"2.1.2","logger_name":"sailpoint.connector.webservices.v2.RequestOrchestratorV2","mantis-client":"1.12.2","class":"bsh.Reflect","ParentOperation":"ProvisioningOperation","atlas-api":"2.7.1","va-gateway-client":"60","connector-bundle-utilities":"10","tracing":"1.12.2","clientId":"3ab7db29","request_milliseconds":"1814","source_host":"1f4e25","method":"invokeMethod","org":"Training-sbx","level":"INFO","IdentityIQ":"8.3p4 Build 0241202-173620","message":"Before Provisioning Rule: Checking for 'id' attribute on CREATE","pipeline":"1.12.2","@timestamp":"2025-06-16T13:44:57.451Z","NativeIdentity":"a123456","thread_name":"pool-6-thread-443","atlas-util":"2.7.1","metrics":"1.10.5","region":"us-west-2","AppType":"Web Services","Application":"TestApp [source]","request_id":"609bece9f55ac0b2db9","CB_Type":"connector-bundle-webservices","queue":"stg01-uswest2-Training-sbx-cluster-0e31ab4ab67b","SCIM Common":"8.0 Build 00b1f252d1b-20200225-190809"}

{"stack":"ccg","pod":"stg01-uswest2","connector-logging":"164","Operation":"Create","clusterId":"4b3dac8a1e04376d157","utilities":"1.12.2","buildNumber":"1077","apiUsername":"3ab7db29","orgType":"","file":"ApacheHttpClientWrapper.java","encryption":"1.12.2","messageType":"provision","connector-bundle-identityiq":"257","line_number":330,"@version":1,"CB_version":"1626","cloud-modules-api":"2.1.2","logger_name":"connector.common.http.client.impl.ApacheHttpClientWrapper","mantis-client":"1.12.2","class":"connector.common.http.client.impl.ApacheHttpClientWrapper","ParentOperation":"ProvisioningOperation","atlas-api":"2.7.1","va-gateway-client":"60","connector-bundle-utilities":"10","tracing":"1.12.2","clientId":"3ab7db29","request_milliseconds":"2048","source_host":"1f4e25","method":"execute","org":"Training-sbx","level":"INFO","IdentityIQ":"8.3p4 Build 0241202-173620","message":"Response received for URL https:\/\/TestApp.com\/work\/api\/*****\/customers\/1\/libraries\/users in 231 millis, status code 201, Response size 16 bytes.","pipeline":"1.12.2","@timestamp":"2025-06-16T13:44:57.686Z","NativeIdentity":"a123456","thread_name":"pool-6-thread-443","atlas-util":"2.7.1","metrics":"1.10.5","region":"us-west-2","AppType":"Web Services","Application":"TestApp [source]","request_id":"609bece9f55ac0b2db9","CB_Type":"connector-bundle-webservices","queue":"stg01-uswest2-Training-sbx-cluster-0e31ab4ab67b","SCIM Common":"8.0 Build 00b1f252d1b-20200225-190809"}

{"stack":"ccg","pod":"stg01-uswest2","connector-logging":"164","clusterId":"4b3dac8a1e04376d157","utilities":"1.12.2","buildNumber":"1077","apiUsername":"3ab7db29","orgType":"","file":"ProvisionHandler.java","encryption":"1.12.2","messageType":"provision","connector-bundle-identityiq":"257","line_number":162,"@version":1,"CB_version":"1626","cloud-modules-api":"2.1.2","logger_name":"com.sailpoint.ccg.handler.ProvisionHandler","mantis-client":"1.12.2","class":"com.sailpoint.ccg.handler.ProvisionHandler","ParentOperation":"ProvisioningOperation","atlas-api":"2.7.1","va-gateway-client":"60","connector-bundle-utilities":"10","tracing":"1.12.2","clientId":"3ab7db29","request_milliseconds":"2051","source_host":"1f4e25","method":"logProvisioningDuration","org":"Training-sbx","level":"INFO","IdentityIQ":"8.3p4 Build 0241202-173620","message":"{\n  \"ccgLastMilePerformance\" : {\n    \"opString\" : \"Create,password\",\n    \"acctName\" : \"a123456\",\n    \"durationMsecs\" : 1634\n  }\n}","pipeline":"1.12.2","@timestamp":"2025-06-16T13:44:57.688Z","thread_name":"pool-6-thread-443","atlas-util":"2.7.1","metrics":"1.10.5","opStatus":"Success","region":"us-west-2","AppType":"Web Services","Application":"TestApp [source]","request_id":"609bece9f55ac0b2db9","CB_Type":"connector-bundle-webservices","queue":"stg01-uswest2-Training-sbx-cluster-0e31ab4ab67b","SCIM Common":"8.0 Build 00b1f252d1b-20200225-190809"}

Note: Please ignore the before provisioning rule reference. It was for testing purpose and I’ve already removed it.

1 Like
15

Hi @rg60115

Glad the issue was solved for create account. Looks like then the issue was with the add entitlement operation. Unfortunately, i think the rule was mapped with only create operation so it does not give much information about add entitlment operation in logs.

Do you mind sharing the group schema and expected payload. Is there another field id of the role or is id same as the name of the role ?

Thank You
Regards
Vikas.

16

Hi @rg60115 ,

Could you please share the Add Role request body?

Thanks.

17

Hi @vguleria and @Rohit_Sahu,

Schema

image
image1561×293 13.4 KB

Add Role
Operation Type: Add Entitlement
URL: /roles/$plan.entitlementValue$/users/$plan.nativeIdentity$
HTTP Method: POST
Body: Empty

Remove Role
Operation Type: Remove Entitlement
URL: /roles/$plan.entitlementValue$/users/$plan.nativeIdentity$
HTTP Method: DELETE
Body: Empty

Sequence of actions
Role assignment: Create an account → Add Role
Role modification: Remove Role → Add Role

18

Hi @rg60115 ,

Please make sure that in account schema you marked role as an a entitlement and type group/role.

Thanks.

19

Hi @Rohit_Sahu in the account schema, “id” is listed as an “Entitlement” and Type is “Role”.

20

Hi @vguleria and @Rohit_Sahu, for the “Add Role” operation, after I changed the operation Type to “Add Entitlement-Role” and the Context URL to “/roles/$plan.id$/users/$plan.nativeIdentity$”, I was able to create the account and add the role. Thank you so much for your help.

For Role modification, I need to remove the existing role first and then add the new one. The url is going to be the same for both actions, the only difference will be the HTTP Method (DELETE/POST). Any suggestions on how to tackle this?

1 Like