Issue with assimilateAccountIdChanges Method in SailPoint IdentityIQ 8.3

IdentityIQ (IIQ) IIQ Discussion and Questions
, , , , ,
1

I am currently working with SailPoint IdentityIQ version 8.3 and have encountered an issue with the assimilateAccountIdChanges method. This method is intended to synchronize nativeIdentity values between ApprovalSet and AccountRequest objects within a ProvisioningProject . However, I have observed that the method does not consistently update the nativeIdentity values as expected. This post outlines the issue, the expected behavior, and includes relevant details such as the ProvisioningProject XML, trace logs, and screenshots for further analysis.

During testing, I provided the following inputs:

  1. ProvisioningProject:
  • Contains two AccountRequest objects for the “Active Directory Application”:
    • AccountRequest 1:
      • nativeIdentity: CN=Andrew Gray,OU=People,OU=Demo,DC=Eshiam,DC=com
    • AccountRequest 2:
      • nativeIdentity: CN=Andrea Hudson,OU=People,OU=Demo,DC=Eshiam,DC=com
  1. ApprovalSet:
  • Contains two ApprovalItem objects for the “Active Directory Application”:
    • ApprovalItem 1:
      • nativeIdentity: CN=Andrew Gray,OU=People,OU=Demo,DC=Eshiam,DC=com
    • ApprovalItem 2:
      • nativeIdentity: CN=Andrea Hudson,OU=People,OU=Demo,DC=Eshiam,DC=com

After executing the method, I expected the ApprovalSet to be updated as follows:

  • ApprovalItem 1:
    • nativeIdentity: CN=Andrew Gray,OU=People,OU=Demo,DC=Eshiam,DC=com
    • nativeIdUpdated: true
  • ApprovalItem 2:
    • nativeIdentity: CN=Andrea Hudson,OU=People,OU=Demo,DC=Eshiam,DC=com
    • nativeIdUpdated: true

However, the actual output was incorrect:

  • ApprovalItem 1:
    • nativeIdentity: CN=Andrew Gray,OU=People,OU=Demo,DC=Eshiam,DC=com
    • nativeIdUpdated: true
  • ApprovalItem 2:
    • nativeIdentity: CN=Andrew Gray,OU=People,OU=Demo,DC=Eshiam,DC=com (incorrect)
    • nativeIdUpdated: true

assimilateAccountIdChanges_TRACE.xml (130.8 KB)

Provisioning Plan:

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE ProvisioningPlan PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<ProvisioningPlan>
  <AccountRequest application="Active Directory Application" nativeIdentity="CN=Andrew Gray,OU=People,OU=Demo,DC=Eshiam,DC=com" op="Modify">
    <AttributeRequest name="memberOf" op="Add" value="CN=Access Control Assistance Operators,CN=Builtin,DC=Eshiam,DC=com"/>
  </AccountRequest>
  <AccountRequest application="Active Directory Application" nativeIdentity="CN=Andrea Hudson,OU=People,OU=Demo,DC=Eshiam,DC=com" op="Modify">
    <AttributeRequest name="memberOf" op="Add" value="CN=Account Operators,CN=Builtin,DC=Eshiam,DC=com"/>
  </AccountRequest>
</ProvisioningPlan>

I’m passing my Provisioning Plan to OOTB LCM Provisioning workflow.
My beanshell code:

 import sailpoint.object.Identity;
  import sailpoint.object.ProvisioningPlan;
  import sailpoint.object.ProvisioningPlan.AccountRequest;
  import sailpoint.object.ProvisioningPlan.AttributeRequest;
  import java.util.Date;
  import sailpoint.tools.Util;
  import java.text.SimpleDateFormat;
  import java.util.HashMap;
  import sailpoint.api.sailpointContext;
  import sailpoint.api.Workflower;
  import sailpoint.object.Identity;
  import sailpoint.object.Workflow;
  import sailpoint.object.WorkflowLaunch;
  import sailpoint.tools.GeneralException;
  import sailpoint.tools.xml.XMLObjectFactory;
  import sailpoint.object.Bundle;
  import sailpoint.tools.Util;

  Identity identity = context.getObjectByName(Identity.class,"1038");

  ProvisioningPlan plan = new ProvisioningPlan();
  plan.setIdentity( identity);

  AccountRequest accReq= new AccountRequest();
  accReq.setApplication("Active Directory Application");
  accReq.setNativeIdentity("CN=Andrew Gray,OU=People,OU=Demo,DC=Eshiam,DC=com");
  accReq.setOperation(ProvisioningPlan.AccountRequest.Operation.Modify);
  accReq.add(new AttributeRequest("memberOf", ProvisioningPlan.Operation.Add,"CN=Access Control Assistance Operators,CN=Builtin,DC=Eshiam,DC=com"));
  plan.add(accReq);

  AccountRequest accReq1= new AccountRequest();
  accReq1.setApplication("Active Directory Application");
  accReq1.setNativeIdentity("CN=Andrea Hudson,OU=People,OU=Demo,DC=Eshiam,DC=com");
  accReq1.setOperation(ProvisioningPlan.AccountRequest.Operation.Modify);
  accReq1.add(new AttributeRequest("memberOf", ProvisioningPlan.Operation.Add,"CN=Account Operators,CN=Builtin,DC=Eshiam,DC=com"));
  plan.add(accReq1);
 
  HashMap launchArgsMap = new HashMap();
  launchArgsMap.put("identityName", identity.getName());
  launchArgsMap.put("plan",plan);

  WorkflowLaunch wflaunch = new WorkflowLaunch();
  Workflow wf = (Workflow) context.getObjectByName(Workflow.class,"LCM Provisioning");
  wflaunch.setWorkflowName(wf.getName());
  wflaunch.setWorkflowRef(wf.getName());
  wflaunch.setCaseName("LCM Provisioning");
  wflaunch.setVariables(launchArgsMap);

  Workflower workflower = new Workflower(context);
  WorkflowLaunch launch = workflower.launch(wflaunch);

Before Approval Access Request:

Screenshot 2025-01-31 113436
Screenshot 2025-01-31 1134361886×862 36.9 KB

account names are showing same.

Before Approval Workitem Owner:

Screenshot 2025-01-31 113318
Screenshot 2025-01-31 1133181899×785 47.8 KB

Before Approval Workitem Manager:

Screenshot 2025-01-31 113509
Screenshot 2025-01-31 1135091893×749 45.9 KB

After Approval Access Request:

Screenshot 2025-01-31 113637
Screenshot 2025-01-31 1136371911×870 38.8 KB

after approval its showing fine account names.

2

It looks like the matching it does in assimilateAccountIdChanges is a little too simplistic for what you’re trying to achieve. Does this still happen if you set approvalSplitPoint to have it split everything out per entitlement?

https://community.sailpoint.com/t5/Technical-White-Papers/Lifecycle-Manager-Workflows/ta-p/71301#toc-hId-1421773294

3

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.