JDBC Account Provisioning is happening but verifying is failing

Which IIQ version are you inquiring about?

Version 8.3

Share all details related to your problem, including any error messages you may have received.

I have issue with a JDBC account request not getting verfied.

the sql statement:
SELECT Users.*, Roles.roleName AS role
FROM Lebara360.Users
LEFT JOIN Lebara360.UserRoles
ON Users.UserId = UserRoles.UserId
LEFT JOIN Lebara360.Roles
ON Roles.roleid = UserRoles.RoleId
WHERE Users.Username <> ‘admin’
ORDER BY Users.UserId;

the get objectsql:
SELECT Users.*, Roles.roleName AS role
FROM Lebara360.Users
LEFT JOIN Lebara360.UserRoles
ON Users.UserId = UserRoles.UserId
LEFT JOIN Lebara360.Roles
ON Roles.roleid = UserRoles.RoleId
WHERE Users.Username <> ‘admin’
and Users.UserId = ‘$(identity)’
order by Users.UserId;

the logs:

2024-04-30T10:57:25,069 DEBUG QuartzScheduler_Worker-4 sailpoint.connector.JDBCConnector:1826 - SQL statement[SELECT Users.*, Roles.roleName AS role
FROM Lebara360.Users
LEFT JOIN Lebara360.UserRoles
ON Users.UserId = UserRoles.UserId
LEFT JOIN Lebara360.Roles
ON Roles.roleid = UserRoles.RoleId
WHERE Users.Username <> ‘admin’
and Users.UserId = ‘246’
order by Users.UserId;].
2024-04-30T10:57:25,069 DEBUG QuartzScheduler_Worker-4 sailpoint.connector.JDBCConnector:603 - Boolean variable _bStoreNextResultInMap is false
2024-04-30T10:57:25,069 DEBUG QuartzScheduler_Worker-4 sailpoint.connector.JDBCConnector:2343 - Returning : <?xml version='1.0' encoding='UTF-8'?>

provisioning is happening and verification is failing after running the aggregation and preform identity request maintenance

Screenshot 2024-04-30 1152441410×438 13.9 KB

@AhmedWaleed
Is the account getting properly created at target?

Yes it is, we are not provisioning all attributes yet but what we have in the code its provisioning.

Can you share a screenshot of the access request the the request details and the provisioning engine part specifically?

Please make sure that the get account query returns all the attributes that are mentioned in the Access request. If there will be any attribute that IIQ is trying to provision but not able to fetch (via get account query), it will always remain in verifying state

Check Access Request , Provisioning transaction it will give to detail which attribute is not finished / completed . Some time the format / case of the particular attribute mismatch .

Also you have written query for single account aggregation ?

Hello,

Please find below

Screenshot 2024-05-02 1127531891×507 19.6 KB

There is another page but community is not allowing me to add more than 1

There is a date in the query, should i return the date in a specific format?

I checked the query, the query does return all queries:
SELECT Users.*, Roles.roleId AS role
FROM Lebara360.Users
LEFT JOIN Lebara360.UserRoles
ON Users.UserId = UserRoles.UserId
LEFT JOIN Lebara360.Roles
ON Roles.roleid = UserRoles.RoleId
WHERE Users.Username <> ‘admin’
and Users.UserId = ‘$(identity)’
order by Users.UserId;

Try the format that is returned by tbe query. The idea is all the attributes provisioned should be returned by the get user operation

Please increase the list of attributes shown here to show all of them at once. Also, as @Abhisinha89 mentioned make sure that the get account query returns all the attributes that are mentioned in the request.

@AhmedWaleed : Let us know if you issue is resolved, happy to assist

Hello Sorry for the late reply,

image1849×714 23 KB

this is the getObjectSqQL:

SELECT Users.UserId As UserId,
Users.Username As Username,
Users.DisplayName As DisplayName,
Users.Email As Email,
Users.Source As Source,
Users.InsertUserId, InsertUserId,
Users.IsActive As Status,
Users.IdNumber As IdNumber,
Roles.roleID AS role
FROM Lebara360.Users
LEFT JOIN Lebara360.UserRoles
ON Users.UserId = UserRoles.UserId
LEFT JOIN Lebara360.Roles
ON Roles.roleid = UserRoles.RoleId
WHERE Users.Username <> ‘admin’
and Users.UserId = ‘$(identity)’
order by Users.UserId;

I can see the following from the logs:
2024-05-13T12:39:18,581 DEBUG QuartzScheduler_Worker-1 sailpoint.connector.JDBCConnector:2343 - User : 255
2024-05-13T12:39:18,581 DEBUG QuartzScheduler_Worker-1 sailpoint.connector.JDBCConnector:2343 - Object Type : account
2024-05-13T12:39:18,583 DEBUG QuartzScheduler_Worker-1 sailpoint.connector.JDBCConnector:1826 - SQL statement[SELECT Users.UserId As UserId,
Users.Username As Username,
Users.DisplayName As DisplayName,
Users.Email As Email,
Users.Source As Source,
Users.InsertUserId, InsertUserId,
Users.IsActive As Status,
Users.IdNumber As IdNumber,
Roles.roleID AS role
FROM Lebara360.Users
LEFT JOIN Lebara360.UserRoles
ON Users.UserId = UserRoles.UserId
LEFT JOIN Lebara360.Roles
ON Roles.roleid = UserRoles.RoleId
WHERE Users.Username <> ‘admin’
and Users.UserId = ‘255’
order by Users.UserId;].
2024-05-13T12:39:18,584 DEBUG QuartzScheduler_Worker-1 sailpoint.connector.JDBCConnector:603 - Boolean variable _bStoreNextResultInMap is false
2024-05-13T12:39:18,586 DEBUG QuartzScheduler_Worker-1 sailpoint.connector.JDBCConnector:2343 - Returning : <?xml version='1.0' encoding='UTF-8'?>

rest of the logs:
2024-05-13T12:39:18,581 DEBUG QuartzScheduler_Worker-1 sailpoint.connector.JDBCConnector:2343 - User : 255
2024-05-13T12:39:18,581 DEBUG QuartzScheduler_Worker-1 sailpoint.connector.JDBCConnector:2343 - Object Type : account
2024-05-13T12:39:18,583 DEBUG QuartzScheduler_Worker-1 sailpoint.connector.JDBCConnector:1826 - SQL statement[SELECT Users.UserId As UserId,
Users.Username As Username,
Users.DisplayName As DisplayName,
Users.Email As Email,
Users.Source As Source,
Users.InsertUserId, InsertUserId,
Users.IsActive As Status,
Users.IdNumber As IdNumber,
Roles.roleID AS role
FROM Lebara360.Users
LEFT JOIN Lebara360.UserRoles
ON Users.UserId = UserRoles.UserId
LEFT JOIN Lebara360.Roles
ON Roles.roleid = UserRoles.RoleId
WHERE Users.Username <> ‘admin’
and Users.UserId = ‘255’
order by Users.UserId;].
2024-05-13T12:39:18,584 DEBUG QuartzScheduler_Worker-1 sailpoint.connector.JDBCConnector:603 - Boolean variable _bStoreNextResultInMap is false
2024-05-13T12:39:18,586 DEBUG QuartzScheduler_Worker-1 sailpoint.connector.JDBCConnector:2343 - Returning : <?xml version='1.0' encoding='UTF-8'?>

Hi and Hello,
Your SQL uses different quote characters for string literals (‘admin’ and ‘255’). Make sure to use standard single quotes (‘admin’, ‘255’) to avoid syntax errors.

WHERE Users.Username <> ‘admin’
and Users.UserId = ‘255’

Regards,
Adam

Hello Adam,

Its the same single quotes used in the aggregation sql and its returning data.

Hello All,

I found out the IdNumber was not getting provisioned and it was failing, corrected this and still not working.

image1870×684 24 KB

<ResourceObject displayName="Sailpoint test21" identity="256" objectType="account">
  <Attributes>
    <Map>
      <entry key="DisplayName" value="Sailpoint test21"/>
      <entry key="Email" value="sailpoint.test21@lebara.sa"/>
      <entry key="IIQDisabled" value="false"/>
      <entry key="IdNumber" value="1"/>
      <entry key="InsertUserId" value="1"/>
      <entry key="Source" value="ldap"/>
      <entry key="Status" value="1"/>
      <entry key="UserId" value="256"/>
      <entry key="Username" value="sailpoint.test21"/>
      <entry key="role">
        <value>
          <List>
            <String>11</String>
          </List>
        </value>
      </entry>
    </Map>
  </Attributes>
</ResourceObject>

as per this screenshot nothing is provisioning, everything shows as failed. The actual issue was not being able to verify. Are you sure that this request shown in screenshot was provisioned?

Hello,

It was provisioning and stuck on the verifying then I run aggregation and then preform request maintenance and it will then fail.

Otherwise, i was able to solve the issue.

The identity attribute for the sql schema of the accounts was the UserId which was generated in the DB, when i switched to username now its working.

Thanks for the help everyone.

Yes date should be in same format as exist in target system otherwise that attribute will show as in verified .