Identity Attribute is Not Showing in Identity warehouse Application Accounts account Attributes

Which IIQ version are you inquiring about?

Version 8.4

Please share any images or screenshots, if relevant.

Screenshot 2024-06-04 222522.png510×584 9.05 KB

Screenshot 2024-06-04 222608.png1605×670 24.6 KB

Screenshot 2024-06-04 222745.png1763×502 25.4 KB

Share all details related to your problem, including any error messages you may have received.

Hello everyone,

Identity Attribute (UI Configuration) or nativeIdentity (Provisioning Plan)

I have configured the Identity Attribute as an Employee ID, which is showing up in nativeIdentity in my Provisioning Plan. However, after the provisioning is committed, the Employee ID attribute and its value do not appear in my identity account (Link) section.

Here is my Provisioning Plan:

<!DOCTYPE ProvisioningPlan PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<ProvisioningPlan nativeIdentity="Dale Bishop" targetIntegration="ACCESSWARDEN-IntegrationConfig" trackingId="5222d3920bb446ebaf6663f70999ce56">
  <AccountRequest application="AccessWarden" nativeIdentity="1c2c3b4d" op="Create">
    <Attributes>
      <Map>
        <entry key="attachmentConfigList"/>
        <entry key="attachments"/>
        <entry key="flow" value="AccessRequest"/>
        <entry key="id" value="c0a800c18e75131d818e7eb0ff920d4b"/>
        <entry key="interface" value="LCM"/>
        <entry key="nativeIdUpdated">
          <value>
            <Boolean>true</Boolean>
          </value>
        </entry>
        <entry key="operation" value="EntitlementAdd"/>
      </Map>
    </Attributes>
    <AttributeRequest assignmentId="853af6538d6b462297d538473447171f" displayValue="AccountingGeneral" name="GroupID" op="Add" value="G1">
      <Attributes>
        <Map>
          <entry key="assignment" value="true"/>
        </Map>
      </Attributes>
    </AttributeRequest>
    <AttributeRequest name="Name" op="Set" value="Dale Bishop"/>
    <AttributeRequest name="FirstName" op="Set" value="Dale"/>
    <AttributeRequest name="Lastname" op="Set" value="Bishop"/>
    <AttributeRequest name="Department" op="Set" value="Accounting"/>
    <AttributeRequest name="EmailAddress" op="Set" value="[email protected]"/>
    <AttributeRequest name="NetworkID" op="Set" value="Dale.Bishop"/>
    <AttributeRequest name="EmployeeID" op="Set" value="1c2c3b4d"/>
  </AccountRequest>
  <Attributes>
    <Map>
      <entry key="identityRequestId" value="0000000679"/>
      <entry key="requester" value="spadmin"/>
      <entry key="source" value="LCM"/>
    </Map>
  </Attributes>
  <Requesters>
    <Reference class="sailpoint.object.Identity" id="c0a81d398c5718db818c5799179a00ea" name="spadmin"/>
  </Requesters>
</ProvisioningPlan>

One more thing to note is that I’m using the Delimited File Connector for the Integration Config Object in provisioning. However, I’m not writing to any file; it only performs a one-time aggregation in SailPoint. Our main goal is to handle provisioning within SailPoint.

Has anyone else experienced this issue or have any insights on why the Employee ID attribute isn’t showing up in the identity account section after provisioning?

Thank you.

It seems like you are losing employeeID somwhere during provisioning. Could you please add here integration executor class.or at least provishion method?

Since it is the Identity Attribute aka Native Identity, it is shown as Account Name.

image1209×181 10.3 KB

To get the Employee ID also in the list of attributes (workaround) you can use the following:

• Gear->Global Settings->Account Attributes
• Add EmployeeID as Account (Link) Attribute

I hope this helps

– Remold

  public ProvisioningResult provision(ProvisioningPlan plan) throws Exception {
    ProvisioningResult provResult = new ProvisioningResult();
    if (plan != null && this.context != null) {
      Map<Object, Object> ruleArgs = new HashMap<>();
      ruleArgs.put("plan", plan);
      ruleArgs.put("configMap", this.configMap);
      Rule ruleObject = (Rule)this.context.getObjectByName(Rule.class, strRuleName);
      if (ruleObject == null) {
        provResult.setStatus("failed");
        provResult.addError("Role object not found with name : " + strRuleName);
      } else {
        provResult = (ProvisioningResult)this.context.runRule(ruleObject, ruleArgs);
      } 
    } else {
      provResult.setStatus("failed");
      provResult.addError("The context or plan was null");
    } 
    return provResult;
  }

I’m added attribute request to Provisioning plan

List acctReqList = plan.getAccountRequests();
try{
if(Util.nullSafeSize(acctReqList) > 0){

	  for(AccountRequest acctReq : acctReqList){

		Operation operation = acctReq.getOperation();

		StringBuilder userSB = new StringBuilder();

			if(AccountRequest.Operation.Create.equals(operation)){
			  
			  acctReq.add(new AttributeRequest("EmployeeID",ProvisioningPlan.Operation.Set,acctReq.getNativeIdentity()));
			  
			  pr.setStatus(ProvisioningResult.STATUS_COMMITTED);
			 
			  return pr;
			}
		}
	}
}

Yes i agree You Observation it is Showing in Account Name as Identity Attribute but my requirement is display Identity attribute in details section like
Department Accounting
Employee ID 1c2c3b4d
etc…

Accounting Mapping also configured same Attribute Employee ID but it is not showing in Application Account details section.

I just did some test on fresh installation of IIQ 8.4 and actualy even native identity attribute is displayed correctly

Here I just created some sample CSV app

image2295×1430 153 KB

And here is how the link looks like

image1794×937 68.2 KB

I think the problem might be caused by the fact that you are doing “virtual” provisioning - I mean you provision but not aggregate so IIQ cannot read this attribute. I would suggest to change Delimited File connector to SQL Loader which allows you to provision to CSV file without need of mocking provisioning via integration config.

This solution would do in fact real provisioning to CSV file which you would be able to aggregate later on.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.