Are there any examples of password reset within a JDBC provisoning rule. I know it should go within the modify block of the rule, but don’t want password reset to trigger for any modification.
With JDBC, this can be really very tricky. It really depends upon in which field you are setting password and how are you doing it.
The rule will always contain the ProvisioningPlan object. So you can trace the plan in your rule as an additional check, and remove/ignore the AttributeRequest for your password field from that ProvisioningPlan. And then you may process the remaining plan and build your SQL Query from it and execute it.
Hope, this helps.
1 Like
Thanks @anon87158948. Do you have an example that you can share to get us started with?
Every IIQ install comes with example rules. In debug you can do a Rule type search for ‘Example JDBC Provision Rule’ and that will give you a a great head start.
2 Likes
Hey Justin, Sorry I did not realize this was an IDN request so the debug comment is not relevant. Here is an example JDBC rule :
import java.util.*;
import java.sql.SQLException;
import sailpoint.object.ProvisioningResult;
import sailpoint.object.ProvisioningPlan.AccountRequest;
List accounts = plan.getAccountRequests();
System.out.println("string is " + plan.toXml());
System.out.println("before for loop");
ProvisioningResult provResult = new ProvisioningResult();
if(accounts.size() > 0) {
for(int i = 0; i < accounts.size(); i++) {
AccountRequest temp = accounts.get(i);
System.out.println(temp.getApplication());
AccountRequest.Operation op = temp.getOperation();
String accountId = temp.getNativeIdentity();
System.out.println("identity " + accountId);
System.out.println("operation " + op);
try {
stmt = connection.createStatement();
// creating Query String
String query = "DELETE FROM USER WHERE FIRSTNAME='" + accountId + "'";
System.out.println("query is " + query);
stmt.executeUpdate(query);
}
catch(SQLException e) {
provResult.setStatus(ProvisioningResult.STATUS_FAILED);
provResult.addError(e);
}
}
}
System.out.println("after the for loop");
return provResult ;
1 Like
Thanks @blake_bowen for the example. We have plenty of JDBC provisioning rules, but we are looking for one specifically dealing with password resets. Maybe we are missing something, but we are not seeing password resets in the Account Activities (other than IDN password resets) so we are struggling with what the Provisioning Plan looks like for these requests. Thanks!
Hey Justin,
You can enable debug on VA and JDBC connector. It should dump provisioning plan to CCG log. Search for word “Dumping” in debug log. Following article contains instructions.
logger.sailpoint.name = sailpoint.connector.JDBCConnector
logger.sailpoint.level = debug
logger.sailpoint.additivity = false
logger.sailpoint.appenderRef.rolling.ref = STDOUT
Cheers,
We have enabled debug on the JDBC connector and are also printing out the plan as part of the JDBC provisioning rule. We see operations like enable and disable coming through (along with their provisioning plans) but do not see anything when a password change is initiated through the UI. This aligns with the missing event in Search. We have ensured that the featureStrings “PASSWORD” and “PROVISIONING” exist on the source.
If anyone has any insight to this, please let us know. Thanks!
Hey Justin,
We’re investigating a password reset issue that is initiated from application for JDBC source. Please try password reset from logon page and see whether provisioning plan shows up in CCG log.
Cheers,