Issue with Cloud Gateway and JDBC globalProvision rule

IdentityIQ (IIQ) IIQ Discussion and Questions
, , ,
1

Which IIQ version are you inquiring about?

8.4p1

Please share any images or screenshots, if relevant.

[Please insert images here, otherwise delete this section]

Please share any other relevant files that may be required (for example, logs).

[Please insert files here, otherwise delete this section]

Share all details about your problem, including any error messages you may have received.

We are trying to configure JDBC applications with Cloud Gateway, and we are seeing issues while provisioning. The issue comes up when the Global Provisioning Rule executes, and the rule fails when we try to fetch objects from the IIQ database, through context.getObject… calls.
Is there an entry in the app XML that can be configured to rectify this behaviour, like (that is used for LogiPlex applications)?

IdentityIQ version: 8.4p1
CloudGateway version: 8.4p1

2

Hi @sonali_manhas,

When using Cloud Gateway, direct database queries via context.getObject(...) in provisioning rules may not work as expected because the rule executes in the Cloud Gateway environment, which lacks direct access to the IIQ database. Here are some possible solutions:

  1. Ensure the rule runs in IdentityIQ
    Move any logic that uses context.getObject(...) to a Before/After Provisioning Rule that runs on the IIQ side instead of Cloud Gateway.

  2. Use a TaskDefinition
    If you need database access, consider using a Rule Task instead of a Global Provisioning Rule. This allows you to retrieve objects before sending the request to Cloud Gateway.

  3. Pre-process with an IdentityRequestProvisioningPlan
    Instead of querying the database within the provisioning rule, gather the necessary information beforehand in an IdentityRequestProvisioningPlan and pass it as part of the ProvisioningPlan.

  4. Enable debugging logs
    Check if the rule is executing in Cloud Gateway by enabling detailed logging in log4j.properties:

log4j.logger.sailpoint.rules=DEBUG  
log4j.logger.sailpoint.provisioning=DEBUG

Let me know if this helps or if you need further clarification! :rocket:

2 Likes
3

Thank you for your reply. How can we handle context.search(…) calls?

4

Also, I came across another post mentioning that JDBC applications have the tag:

<synchronous>true</synchronous>

It seems to work similarly to the one used for LogiPlex applications. This might be worth exploring to see if it helps with your issue. Try this, and if it doesn’t work, you can proceed with the suggestions I shared earlier.

5

You’re welcome!

For context.search(…) calls, a similar issue arises when executing the rule in Cloud Gateway, as it does not have direct access to the IdentityIQ database. In such cases, you may need to move the logic that uses context.search(…) to a Before/After Provisioning Rule running on the IdentityIQ server, just like with context.getObject(…).

6

Is this an entry to be added in the app XML? The app XML doesn’t support it when I try to add it.

7

Try better with:

      <entry key="synchronous">
        <value>
          <Boolean>true</Boolean>
        </value>
      </entry>
8

This entry did not work. :slightly_frowning_face:

9

And what about this?

10

Adding the required values in the provisioning plan, through the BeforeProvisioning rule works. I can fetch those values in the globalProvisioning rule through the plan.

11

Hi @sonali_manhas,

I’m glad to hear that adding the required values in the BeforeProvisioning rule and then retrieving them in the Global Provisioning Rule through the ProvisioningPlan worked for you.

If this solution resolved your issue, could you mark it as the accepted answer in the forum? This would help others facing similar challenges and also allow me to continue progressing on my journey as a SailPoint Ambassador.

Thanks, and let me know if you have any other questions! :innocent:

12

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.