How do I provision accounts to a Web Services source without entitlements?

Hello!

I have a Web Services source that’s (presumably) fully configured, but it doesn’t seem to be creating accounts in the source. I have the Create profile all set up, I have the source listed under “Source Accounts to Enable” in the Provisioning tab for the appropriate lifecycle state in the appropriate Identity Profile, I have my HTTP Operations configured (Test Connection, Account Aggregation, Get Object, Update Account, Enable Account, Disable Account, and Create Account). The other operations all appear to be working, but Create Account never seems to actually fire.

I think the wrinkle here is that I don’t have an HTTP Operation configured for Add Entitlement, because I don’t have an endpoint to add entitlements. In fact, I don’t even want to manage Entitlements for this source through IDN, I only care about account provisioning (accounts are automatically granted the basic “General User” entitlement upon creation). If I create an Access Profile with one of the generic entitlements and add that to the Identity Profile’s Lifecycle State, or if I add it to a role and assign that role to an identity, then I get nullPointerExceptions, presumably because of the lack of the Add Entitlement operation.

So how can I provision accounts to a source when I don’t actually want to manage any Entitlements?

Thanks!
-Mark

Hi @sup3rmark

How can you create an account in IDN ?

  • Either by requesting Role/AccessProfile/Entitlement or auto assigning Role/AccessProfile.

  • We don’t have create account without requesting an access in IDN like we have in IIQ through Manage Accounts Quicklink. (If you are familiar with IIQ).

  • So you don’t have a choice here, you need to have some access.

If you don’t have any entitlement in your source, make any generic attribute which is common for all users. Like Status or description.

I would go with status, we can create users with active status.

Duplicate create account HTTP operation and use it for Add Entitlement operation.

Hope this helps :slight_smile:

Thanks
Krish

Thanks for the suggestion, @MVKR7T!

I’ve spent the past week trying this in my dev environment in various ways, but no joy.

Here’s what I’ve tried:

  1. Configuring an “Add Entitlements” endpoint matching the Create/Enable/Disable/Update Account endpoints.
  2. Adding the source to the “Source Accounts to Enable” list in the “Active” lifecycle state on my default Identity Profile.
  3. Creating an Access Profile and adding the “Everyone” entitlement.
    • I’ve tried adding this to the lifecycle state and separately to a role which I then attempted to assign to a couple of individuals. In both cases, this resulted in identity processing errors that said simply “NullPointerException” with nothing else of use.
    • I’ve also tried doing an Access Request for this access profile, but this also fails. When I go to the View My Requests page, I see a yellow “Contact Helpdesk” message, and clicking into the details just says “Error: Please contact your administrator. An unexpected error occured: java.lang.NullPointerException”
  4. Removing and readding the “roles” attribute (the attribute that reflects the actual entitlements) to the account schema.
  5. Setting “CreateAccountWithEntReq” to True in the source config (via the GUI).
  6. Setting another attribute as an entitlement (as you suggested). Various different scenarios attempted here as well:
    • a “string” type attribute with no entitlement type assigned
    • with a new entitlement type created and assigned, but nothing set up under the schema
    • with a new entitlement type created and assigned, with just one attribute in the schema with the same name as the attribute
  7. Adding different values to the Source “features” config list. I can’t find any explanation of what these mean/do, but I tried “ACCOUNT_ONLY_REQUEST” and “NO_PERMISSIONS_PROVISIONING” to no avail.

If anyone has any other ideas/suggestions/things for me to try, I’m all ears!

Good news! Turns out the issue here was due to an attribute in the Create profile that was enabled as a Static value but had a null value. This is apparently not allowed.

Once I populated a dummy value in there, I was able to provision with no issues using the regular entitlements, with the Add Entitlement operation being a copy of the Create Account operation. Even though there is no entitlement actually added, this seems to not be a problem and IdentityNow is perfectly fine with it.

Not exactly the same issue, but shout out to @zbetz and this post for pointing me down the right path!

3 Likes

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.