Issue with Null Values When Referencing Identity and Account Attributes in Enable/Disable Mode

Identity Security Cloud (ISC) ISC Discussion and Questions
, , , ,
1

Hi everyone, how are you? :waving_hand:

I’m currently facing an issue with my provisioning policies in Enable/Disable mode.

In these configurations, I referenced both an identity attribute and an account attribute. However, during execution, both attributes return null, even though the values are correctly populated in the identity and account data.

To validate the behavior, I created a new custom attribute in the identity and referenced it in the same policy — and this time, it worked as expected.

This suggests that the issue is not with the reference mechanism itself, but possibly with how the original attributes are being resolved or accessed at runtime.

Below are simplified examples of both **UPDATE (**this works) and DISABLE (its not work) provisioning policies:

{
  "name": "Update",
  "description": null,
  "usageType": "UPDATE",
  "fields": [
    {
      "name": "email_corp",
      "transform": {
        "type": "accountAttribute",
        "attributes": {
          "name": "email_corp",
          "sourceName": "MXM HLG"
        }
      },
      "attributes": {},
      "isRequired": false,
      "type": "string",
      "isMultiValued": false
    }
  ]
}


{
  "name": "Disable",
  "description": null,
  "usageType": "DISABLE",
  "fields": [
    {
      "name": "email_corp",
      "transform": {
        "type": "accountAttribute",
        "attributes": {
          "name": "email_corp",
          "sourceName": "MXM HLG"
        }
      },
      "attributes": {},
      "isRequired": false,
      "type": "string",
      "isMultiValued": false
    }
  ]
}

Has anyone experienced similar behavior or knows if there are specific limitations when referencing identity/account attributes in Enable/Disable mode?

Thanks in advance for any help or insights!

2

Hey @henriqueoliveiraIAM ,

Try using a firstValid transform it .

{
  "name": "Disable",
  "description": null,
  "usageType": "DISABLE",
  "fields": [
    {
      "name": "email_corp",
      "transform": {
        "attributes":{
          "values":[
            {
        "type": "accountAttribute",
        "attributes": {
          "name": "email_corp",
          "sourceName": "MXM HLG"
        }
      },
      {
        "attributes": {
          "value": ""
        },
        "type": "static"
      }
      ]
      },
      "type":"firstValid"
      },
      "attributes": {},
      "isRequired": false,
      "type": "string",
      "isMultiValued": false
    }
  ]
}

Try this transform and let me know if it works.

Thanks,

Naveen

3

Hello Naveen,

how are you ?

I tested with your transform and it gave an error again, sending it as null. I followed a test like this other thread ( How to add extra attributes to the provisioning plan of the Disable account operation of a web services connector? )) and was able to use the email identity attribute, but only when I changed the name of the field I send in the plan. Can you help me with another attempt? Or can I only use the identity field and not the account field?

{
"name": "Disable",
"description": null,
"usageType": "DISABLE",
"fields": [
{
"name": "emaildisable",
"transform": {
"type": "identityAttribute",
"attributes": {
"name": "email"
}
},
"attributes": {},
"isRequired": false,
"type": "string",
"isMultiValued": false
}
]
}

Thanks

4

Hi @henriqueoliveiraIAM You dont appear to be including the attributeName attribute in your accountAttribute transform. The name attribute is the name of the transform, not the name of the attribute. See Account attribute | SailPoint Developer Community

5

Can you provide the provisioning plan? Just want to look into it on how it goes.

6

Hi Suresh, How Are you ?

he follows

               "httpMethodType": "POST",
                "pagingInitialOffset": 0,
                "sequenceNumberForEndpoint": "6",
                "uniqueNameForEndPoint": "Disable",
                "rootPath": "$",
                "body": {
                    "jsonBody": "{ \n  \"usuario_ad\": \"$plan.nativeIdentity$\", \n  \"email_corp\": \"$plan.emaildisable$\", \n  \"ativo\": false,\n  \"motivo\": \"IdentityNow\" \n}",
                    "bodyFormat": "raw"
                },
                "responseCode": [
                    "200"
                ],
                "resMappingObj": {
                    "status": "status"
                },
                "contextUrl": "/Ativ_inativ_usuario?sistema=MXM",
                "pagingSize": 50,
                "curlEnabled": false,
                "header": {
                    "Authorization": "Basic $application.private_key_password$",
                    "Accept": "application/json",
                    "Content-Type": "application/json"
                },
                "operationType": "Disable Account"
7

look at the code as it is

8

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.