LazyInitializationException

IdentityIQ (IIQ) IIQ Discussion and Questions
,
1

Which IIQ version are you inquiring about?8.2

Hello all
I have a sod policy run the task check active policy, the policy is activated and a rule runs. this rule should remove a salesforce permissionsetgroup.
And in fact the permission is removed but I have the error in the task


An unexpected error occurred: org.hibernate.LazyInitializationException: failed to lazily initialize a collection of role: sailpoint.object.Identity.mitigationExpirations, could not initialize proxy - no Session

logs:

025-05-26T21:30:33,579 ERROR QuartzScheduler_Worker-1 sailpoint.object.LockInfo:448 - class sailpoint.object.Identity reached end of Refresh without lock: E909441
2025-05-26T21:30:33,579 ERROR QuartzScheduler_Worker-1 sailpoint.task.IdentityRefreshExecutor:1624 - RefreshWorker 1 exception: failed to lazily initialize a collection of role: sailpoint.object.Identity.mitigationExpirations, could not initialize proxy - no Session
org.hibernate.LazyInitializationException: failed to lazily initialize a collection of role: sailpoint.object.Identity.mitigationExpirations, could not initialize proxy - no Session
	at org.hibernate.collection.internal.AbstractPersistentCollection.throwLazyInitializationException(AbstractPersistentCollection.java:606) ~[hibernate-core-5.4.27.Final.jar:5.4.27.Final]
	at org.hibernate.collection.internal.AbstractPersistentCollection.withTemporarySessionIfNeeded(AbstractPersistentCollection.java:218) ~[hibernate-core-5.4.27.Final.jar:5.4.27.Final]
	at org.hibernate.collection.internal.AbstractPersistentCollection.initialize(AbstractPersistentCollection.java:585) ~[hibernate-core-5.4.27.Final.jar:5.4.27.Final]
	at org.hibernate.collection.internal.AbstractPersistentCollection.read(AbstractPersistentCollection.java:149) ~[hibernate-core-5.4.27.Final.jar:5.4.27.Final]
	at org.hibernate.collection.internal.PersistentList.iterator(PersistentList.java:155) ~[hibernate-core-5.4.27.Final.jar:5.4.27.Final]
	at sailpoint.api.Interrogator.checkMitigation(Interrogator.java:699) ~[identityiq.jar:8.2 Build cfad9a66460-20210923-160543]
	at sailpoint.api.Interrogator.interrogate(Interrogator.java:666) ~[identityiq.jar:8.2 Build cfad9a66460-20210923-160543]
	at sailpoint.api.Interrogator.interrogate(Interrogator.java:635) ~[identityiq.jar:8.2 Build cfad9a66460-20210923-160543]
	at sailpoint.api.Identitizer.finishRefresh(Identitizer.java:2914) ~[identityiq.jar:8.2 Build cfad9a66460-20210923-160543]
	at sailpoint.api.Identitizer.refresh(Identitizer.java:2472) ~[identityiq.jar:8.2 Build cfad9a66460-20210923-160543]
	at sailpoint.task.IdentityRefreshExecutor$RefreshWorker.refreshAndProcess(IdentityRefreshExecutor.java:1585) [identityiq.jar:8.2 Build cfad9a66460-20210923-160543]
	at sailpoint.task.IdentityRefreshExecutor$RefreshWorkerPool.queue(IdentityRefreshExecutor.java:1903) [identityiq.jar:8.2 Build cfad9a66460-20210923-160543]
	at sailpoint.task.IdentityRefreshExecutor.refresh(IdentityRefreshExecutor.java:1106) [identityiq.jar:8.2 Build cfad9a66460-20210923-160543]
	at sailpoint.task.IdentityRefreshExecutor.execute(IdentityRefreshExecutor.java:849) [identityiq.jar:8.2 Build cfad9a66460-20210923-160543]
	at sailpoint.api.TaskManager.runSync(TaskManager.java:909) [identityiq.jar:8.2 Build cfad9a66460-20210923-160543]
	at sailpoint.api.TaskManager.runSync(TaskManager.java:724) [identityiq.jar:8.2 Build cfad9a66460-20210923-160543]
	at sailpoint.scheduler.JobAdapter.execute(JobAdapter.java:128) [identityiq.jar:8.2 Build cfad9a66460-20210923-160543]
	at org.quartz.core.JobRunShell.run(JobRunShell.java:202) [quartz-2.3.2.jar:?]
	at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:573) [quartz-2.3.2.jar:?]

Code:



 Identity identity = context.getObjectByName(Identity.class, identity.getName());
    
    List links = identity.getLinks();
    
    for(Link l: links){
     
      if(l.getApplicationName().equalsIgnoreCase(applicationName)){
       
        nativeId = l.getNativeIdentity();
        
      }
      
    }
    
    
    
    AccountRequest accountRequest = new AccountRequest();
    accountRequest.setApplication(applicationName);
    accountRequest.setOperation(AccountRequest.Operation.Modify);
    accountRequest.setNativeIdentity(nativeId);
    
   
    //AccountRequest accountRequest = new AccountRequest(AccountRequest.Operation.Modify, applicationName, null,nativeId);

    
    
    for (String psg : permissionSetGroupToRemove) {

      AttributeRequest attrRequest = new AttributeRequest(entitlementName, ProvisioningPlan.Operation.Remove,psg);
      
    

      attrRequest.put("preferRemoveOverRetain","true");
      attrRequest.put("assignment","true");

      accountRequest.add(attrRequest);
      
    }

    plan.add(accountRequest);
		
    log.debug("CGD_Rule_SOD_Policy_SALESFORCE_Action_By_Alerts:: Executing Provisioning..."); 
    
        log.debug("CGD_Rule_SOD_Policy_SALESFORCE_Action_By_Alerts:: Executing PLAN..." + plan.toXml());
    
    Provisioner provisioner = new Provisioner(context);
    provisioner.execute(plan);
    ```
2

Hi @RIsidoro

Ensure your IdentityIQ 8.2 installation has all the latest recommended patches.

3

Hi @RIsidoro, is your policy launching a workflow? If so, is the workflow running in the foreground or background?

4

yes , and the issue remains on 8.4

5

No the task runs a rule

7

Bro stop using chat gpt of any LLM for the answers , omg

2 Likes
8

This basicly means your are initializing a object using a lazy relation. just add a line after the for Link link = l; and that should be fixed.

9

I try that. Issue remains…

I try adding Hibernate.initialize(identity.getMitigationExpirations());
And it solves but i am not sure about impacts

10

JKust noted that is complaining about the Roles, did you initialized the List?

12

What arguments are you setting on the task? Can you share the task definition?

13 
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE TaskDefinition PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<TaskDefinition created="1747990598922" id="0a0bd24e96f41e618196fc5bd50a15d8" modified="1748425810899" name="Refresh Identity Cube - Remove AttAssignments" resultAction="Rename" subType="task_item_type_identity" type="Identity">
  <Attributes>
    <Map>
      <entry key="TaskDefinition.runLengthAverage" value="2"/>
      <entry key="TaskDefinition.runLengthTotal" value="163"/>
      <entry key="TaskDefinition.runs" value="81"/>
      <entry key="TaskSchedule.host"/>
      <entry key="checkHistory" value="false"/>
      <entry key="checkPolicies" value="true"/>
      <entry key="correlateEntitlements" value="true"/>
      <entry key="correlateScope" value="false"/>
      <entry key="deleteDormantGroups" value="false"/>
      <entry key="disableIdentityProcessingThreshold" value="false"/>
      <entry key="disableManagerLookup" value="false"/>
      <entry key="doManualActions" value="false"/>
      <entry key="enableManualAccountSelection" value="false"/>
      <entry key="enablePartitioning" value="false"/>
      <entry key="excludeInactive" value="false"/>
      <entry key="filterNeedsRefresh" value="false"/>
      <entry key="forceWorkflow" value="false"/>
      <entry key="includeWindowModified" value="false"/>
      <entry key="keepInactiveViolations" value="false"/>
      <entry key="markDormantScopes" value="false"/>
      <entry key="noAutoCreateScopes" value="false"/>
      <entry key="noMaintenanceWindowRetry" value="false"/>
      <entry key="noResetNeedsRefresh" value="false"/>
      <entry key="noRoleDeprovisioning" value="false"/>
      <entry key="preRefreshRule" value="icc-refresh-removeAttAssignments"/>
      <entry key="processTriggers" value="false"/>
      <entry key="promoteAttributes" value="true"/>
      <entry key="promoteManagedAttributes" value="false"/>
      <entry key="provision" value="true"/>
      <entry key="refreshCompositeApplications" value="false"/>
      <entry key="refreshGroups" value="false"/>
      <entry key="refreshIdentityEntitlements" value="false"/>
      <entry key="refreshManagerStatus" value="true"/>
      <entry key="refreshRoleMetadata" value="false"/>
      <entry key="refreshScorecard" value="false"/>
      <entry key="synchronizeAttributes" value="false"/>
      <entry key="taskCompletionEmailNotify" value="Disabled"/>
      <entry key="taskCompletionEmailRecipients"/>
      <entry key="taskCompletionEmailTemplate"/>
    </Map>
  </Attributes>
  <Description>Perform a full refresh of all the identities.</Description>
  <Parent>
    <Reference class="sailpoint.object.TaskDefinition" id="8a8b51e272cc4d830172cc50186001b0" name="Identity Refresh"/>
  </Parent>
</TaskDefinition>


<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Rule PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<Rule created="1747990571642" id="0a0bd24e96f41e618196fc5b6a7a15d5" language="beanshell" name="icc-refresh-removeAttAssignments">
  <Signature>
    <Inputs>
      <Argument name="log" type="org.apache.commons.logging.Log">
        <Description>
          The log object associated with the SailPointContext.
        </Description>
      </Argument>
      <Argument name="context" type="sailpoint.api.SailPointContext">
        <Description>
          A sailpoint.api.SailPointContext object that can be used to query the database if necessary.
        </Description>
      </Argument>
    </Inputs>
  </Signature>
  <Source>
import sailpoint.object.Identity;

import java.util.ArrayList;

if (identity instanceof sailpoint.object.Identity) {
    identity.setAttributeAssignments(new ArrayList());
    context.saveObject(identity);
}


  </Source>
</Rule>
14

Until now, only the Hibernate.initialize(identity.getMitigationExpirations()); worked :frowning:
Alredy try to do everything you said

15

LazyInitializationException genrate for multiple reasons. For my case we saw when we are usingf stale data like identity object or any object you are using in your code that has old reference and we are using the same stale object into API, then we are getting this error.

We have to make sure to use latest object for processing.

16

@RIsidoro, try disabling the policy checking in the refresh task.
If that makes the problem go away, then turn policy checking back on and start disabling individual policies to narrow it down.

17

I have a policy just to check active policies and this happens to some users

2025-06-12T07:41:52,002 ERROR QuartzScheduler_Worker-4 sailpoint.object.LockInfo:448 - class sailpoint.object.Identity reached end of Refresh without lock: XXXXXXX
2025-06-12T07:41:52,017 ERROR QuartzScheduler_Worker-4 sailpoint.task.IdentityRefreshExecutor:1624 - RefreshWorker 1 exception: failed to lazily initialize a collection of role: sailpoint.object.Identity.mitigationExpirations, could not initialize proxy - no Session
org.hibernate.LazyInitializationException: failed to lazily initialize a collection of role: sailpoint.object.Identity.mitigationExpirations, could not initialize proxy - no Session
at org.hibernate.collection.internal.AbstractPersistentCollection.throwLazyInitializationException(AbstractPersistentCollection.java:606) ~[hibernate-core-5.4.27.Final.jar:5.4.27.Final]
at org.hibernate.collection.internal.AbstractPersistentCollection.withTemporarySessionIfNeeded(AbstractPersistentCollection.java:218) ~[hibernate-core-5.4.27.Final.jar:5.4.27.Final]
at org.hibernate.collection.internal.AbstractPersistentCollection.initialize(AbstractPersistentCollection.java:585) ~[hibernate-core-5.4.27.Final.jar:5.4.27.Final]
at org.hibernate.collection.internal.AbstractPersistentCollection.read(AbstractPersistentCollection.java:149) ~[hibernate-core-5.4.27.Final.jar:5.4.27.Final]
at org.hibernate.collection.internal.PersistentList.iterator(PersistentList.java:155) ~[hibernate-core-5.4.27.Final.jar:5.4.27.Final]
at sailpoint.api.Interrogator.checkMitigation(Interrogator.java:699) ~[identityiq.jar:8.2 Build cfad9a66460-20210923-160543]
at sailpoint.api.Interrogator.interrogate(Interrogator.java:666) ~[identityiq.jar:8.2 Build cfad9a66460-20210923-160543]
at sailpoint.api.Interrogator.interrogate(Interrogator.java:635) ~[identityiq.jar:8.2 Build cfad9a66460-20210923-160543]
at sailpoint.api.Identitizer.finishRefresh(Identitizer.java:2914) ~[identityiq.jar:8.2 Build cfad9a66460-20210923-160543]
at sailpoint.api.Identitizer.refresh(Identitizer.java:2472) ~[identityiq.jar:8.2 Build cfad9a66460-20210923-160543]
at sailpoint.task.IdentityRefreshExecutor$RefreshWorker.refreshAndProcess(IdentityRefreshExecutor.java:1585) [identityiq.jar:8.2 Build cfad9a66460-20210923-160543]
at sailpoint.task.IdentityRefreshExecutor$RefreshWorkerPool.queue(IdentityRefreshExecutor.java:1903) [identityiq.jar:8.2 Build cfad9a66460-20210923-160543]
at sailpoint.task.IdentityRefreshExecutor.refresh(IdentityRefreshExecutor.java:1106) [identityiq.jar:8.2 Build cfad9a66460-20210923-160543]
at sailpoint.task.IdentityRefreshExecutor.execute(IdentityRefreshExecutor.java:849) [identityiq.jar:8.2 Build cfad9a66460-20210923-160543]
at sailpoint.api.TaskManager.runSync(TaskManager.java:909) [identityiq.jar:8.2 Build cfad9a66460-20210923-160543]
at sailpoint.api.TaskManager.runSync(TaskManager.java:724) [identityiq.jar:8.2 Build cfad9a66460-20210923-160543]
at sailpoint.scheduler.JobAdapter.execute(JobAdapter.java:128) [identityiq.jar:8.2 Build cfad9a66460-20210923-160543]
at org.quartz.core.JobRunShell.run(JobRunShell.java:202) [quartz-2.3.2.jar:?]

18

It can be difficult to debug that as the exception is thrown a while after things went wrong.
Disabling the policies is a good way to narrow down where the problem is originating.

19

its on check active policies. but only if I specify the ones I want to run. If I put all its ok.
And its with like 3 or 4 users always diffrent ones

20

Getting same error when trying to run a policy. Did adding that code help you? Where do you add that code, in the rule?
Hibernate.initialize(identity.getMitigationExpirations());

21

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.