Fail to provision a role

cris1 · December 13, 2024, 3:05pm

Hi, everyone

I’m trying to provision a role to an identity and i’m using the following code:

    Identity identity = context.getObject(Identity.class, "999999999");
    String value = "FTI. Teste";
    Bundle bundle = context.getObject(Bundle.class, value);
  
	  String type = "it"; 
		String operation = "Add";
		String application = "AD XPTO D";
		
		String targetIdentityName = identity.getName();
		String requesterIdentityName = "spadmin";
		
		IdentityService identityService = new IdentityService(context);
		Application CPUA = context.getObjectByName(Application.class, application);
	  List<Link> account = identityService.getLinks(identity, CPUA);
  
  
    String nativeIdentity = (String) account.get(0).getNativeIdentity();
  
	    
	  ProvisioningPlan plan = new sailpoint.object.ProvisioningPlan();
		plan.setIdentity(identity);
		ArrayList requesters = new ArrayList();
		requesters.add(context.getObject(Identity.class, requesterIdentityName));
		plan.setRequesters(requesters);
		plan.setSource("LCM");
		plan.setComments("Added by API");	
		AccountRequest acctReq = new AccountRequest();
		acctReq.setApplication(application);
		acctReq.setNativeIdentity(nativeIdentity);
		acctReq.setOperation(AccountRequest.Operation.Modify);
		AttributeRequest attributeRequest = new AttributeRequest();
		if(operation.equals("Add"))
		{
			attributeRequest.setOp(ProvisioningPlan.Operation.Add);	
		}
		else
		{
			attributeRequest.setOp(ProvisioningPlan.Operation.Remove);	
		}

  	attributeRequest.setValue(value);
		attributeRequest.setName(type);
	  acctReq.add(attributeRequest);
		plan.add(acctReq);
		Provisioner provisioner = new Provisioner(context);
		provisioner.execute(plan);
		String msg = "";
		TaskResult task = new TaskResult();
		provisioner.saveResults(task);
		ProvisioningProject project = provisioner.getProject();
		List<Message> listMsgs = project.getErrorMessages();
		if(!listMsgs.isEmpty())
		{
			for(Message listMsg : listMsgs)
			{
				msg = listMsg.getMessage();
			}					
		}

		return msg;

However i’m getting this error when i try to execute my code:

Error(s) reported back from the IQService - Failed to update attributes for identity CN=Luis Fernando, OU=Usuarios, OU=AdmCentral, DC=itaud, DC=des, DC=ihf. The specified directory service attribute or value does not exist.

I already checked the identity and their account exists, the role also exists.

Someone can help me to find what is wrong?

kjakubiak · December 13, 2024, 3:09pm

It seems you try to provision “bundle” object to AD - this will not work, because if you want to provision role you have to provision it to application “IIQ” not to the target - this will be done by expansion provisioning engine.

The error you get is because you tried to assign attribute (role) in AD where this attribute does not exist, this is also what error says.

You have to either provision role via IIQ application in provisioning plan, or directly ManagedAttribute to the AD application (without role).

cris1 · December 13, 2024, 6:34pm

Is this also valid for other applications that are not AD? im trying to provision for another application and getting the following:

sailpoint.connector.InvalidConfigurationException: [ InvalidConfigurationException ]
[ Error details ] [LDAP: error code 17 - R001012 Attribute type ‘it’ is not defined (normalize_attr_value_list:1536)]

kjakubiak · December 13, 2024, 10:10pm

Yeap, it applies to all apps.

system · February 11, 2025, 10:10pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.