LazyInitializationException

RIsidoro · May 26, 2025, 8:38pm

Which IIQ version are you inquiring about?8.2

Hello all
I have a sod policy run the task check active policy, the policy is activated and a rule runs. this rule should remove a salesforce permissionsetgroup.
And in fact the permission is removed but I have the error in the task


An unexpected error occurred: org.hibernate.LazyInitializationException: failed to lazily initialize a collection of role: sailpoint.object.Identity.mitigationExpirations, could not initialize proxy - no Session

logs:

025-05-26T21:30:33,579 ERROR QuartzScheduler_Worker-1 sailpoint.object.LockInfo:448 - class sailpoint.object.Identity reached end of Refresh without lock: E909441
2025-05-26T21:30:33,579 ERROR QuartzScheduler_Worker-1 sailpoint.task.IdentityRefreshExecutor:1624 - RefreshWorker 1 exception: failed to lazily initialize a collection of role: sailpoint.object.Identity.mitigationExpirations, could not initialize proxy - no Session
org.hibernate.LazyInitializationException: failed to lazily initialize a collection of role: sailpoint.object.Identity.mitigationExpirations, could not initialize proxy - no Session
	at org.hibernate.collection.internal.AbstractPersistentCollection.throwLazyInitializationException(AbstractPersistentCollection.java:606) ~[hibernate-core-5.4.27.Final.jar:5.4.27.Final]
	at org.hibernate.collection.internal.AbstractPersistentCollection.withTemporarySessionIfNeeded(AbstractPersistentCollection.java:218) ~[hibernate-core-5.4.27.Final.jar:5.4.27.Final]
	at org.hibernate.collection.internal.AbstractPersistentCollection.initialize(AbstractPersistentCollection.java:585) ~[hibernate-core-5.4.27.Final.jar:5.4.27.Final]
	at org.hibernate.collection.internal.AbstractPersistentCollection.read(AbstractPersistentCollection.java:149) ~[hibernate-core-5.4.27.Final.jar:5.4.27.Final]
	at org.hibernate.collection.internal.PersistentList.iterator(PersistentList.java:155) ~[hibernate-core-5.4.27.Final.jar:5.4.27.Final]
	at sailpoint.api.Interrogator.checkMitigation(Interrogator.java:699) ~[identityiq.jar:8.2 Build cfad9a66460-20210923-160543]
	at sailpoint.api.Interrogator.interrogate(Interrogator.java:666) ~[identityiq.jar:8.2 Build cfad9a66460-20210923-160543]
	at sailpoint.api.Interrogator.interrogate(Interrogator.java:635) ~[identityiq.jar:8.2 Build cfad9a66460-20210923-160543]
	at sailpoint.api.Identitizer.finishRefresh(Identitizer.java:2914) ~[identityiq.jar:8.2 Build cfad9a66460-20210923-160543]
	at sailpoint.api.Identitizer.refresh(Identitizer.java:2472) ~[identityiq.jar:8.2 Build cfad9a66460-20210923-160543]
	at sailpoint.task.IdentityRefreshExecutor$RefreshWorker.refreshAndProcess(IdentityRefreshExecutor.java:1585) [identityiq.jar:8.2 Build cfad9a66460-20210923-160543]
	at sailpoint.task.IdentityRefreshExecutor$RefreshWorkerPool.queue(IdentityRefreshExecutor.java:1903) [identityiq.jar:8.2 Build cfad9a66460-20210923-160543]
	at sailpoint.task.IdentityRefreshExecutor.refresh(IdentityRefreshExecutor.java:1106) [identityiq.jar:8.2 Build cfad9a66460-20210923-160543]
	at sailpoint.task.IdentityRefreshExecutor.execute(IdentityRefreshExecutor.java:849) [identityiq.jar:8.2 Build cfad9a66460-20210923-160543]
	at sailpoint.api.TaskManager.runSync(TaskManager.java:909) [identityiq.jar:8.2 Build cfad9a66460-20210923-160543]
	at sailpoint.api.TaskManager.runSync(TaskManager.java:724) [identityiq.jar:8.2 Build cfad9a66460-20210923-160543]
	at sailpoint.scheduler.JobAdapter.execute(JobAdapter.java:128) [identityiq.jar:8.2 Build cfad9a66460-20210923-160543]
	at org.quartz.core.JobRunShell.run(JobRunShell.java:202) [quartz-2.3.2.jar:?]
	at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:573) [quartz-2.3.2.jar:?]

Code:



 Identity identity = context.getObjectByName(Identity.class, identity.getName());
    
    List links = identity.getLinks();
    
    for(Link l: links){
     
      if(l.getApplicationName().equalsIgnoreCase(applicationName)){
       
        nativeId = l.getNativeIdentity();
        
      }
      
    }
    
    
    
    AccountRequest accountRequest = new AccountRequest();
    accountRequest.setApplication(applicationName);
    accountRequest.setOperation(AccountRequest.Operation.Modify);
    accountRequest.setNativeIdentity(nativeId);
    
   
    //AccountRequest accountRequest = new AccountRequest(AccountRequest.Operation.Modify, applicationName, null,nativeId);

    
    
    for (String psg : permissionSetGroupToRemove) {

      AttributeRequest attrRequest = new AttributeRequest(entitlementName, ProvisioningPlan.Operation.Remove,psg);
      
    

      attrRequest.put("preferRemoveOverRetain","true");
      attrRequest.put("assignment","true");

      accountRequest.add(attrRequest);
      
    }

    plan.add(accountRequest);
		
    log.debug("CGD_Rule_SOD_Policy_SALESFORCE_Action_By_Alerts:: Executing Provisioning..."); 
    
        log.debug("CGD_Rule_SOD_Policy_SALESFORCE_Action_By_Alerts:: Executing PLAN..." + plan.toXml());
    
    Provisioner provisioner = new Provisioner(context);
    provisioner.execute(plan);
    ```

pattabhi · May 27, 2025, 3:24am

Hi @RIsidoro

Ensure your IdentityIQ 8.2 installation has all the latest recommended patches.

paul_hilchey · May 27, 2025, 6:10am

Hi @RIsidoro, is your policy launching a workflow? If so, is the workflow running in the foreground or background?

RIsidoro · May 27, 2025, 10:12am

yes , and the issue remains on 8.4

RIsidoro · May 27, 2025, 10:12am

No the task runs a rule

ipobeidi · May 27, 2025, 2:03pm

Bro stop using chat gpt of any LLM for the answers , omg

ipobeidi · May 27, 2025, 2:04pm

This basicly means your are initializing a object using a lazy relation. just add a line after the for Link link = l; and that should be fixed.

RIsidoro · May 27, 2025, 3:00pm

I try that. Issue remains…

I try adding Hibernate.initialize(identity.getMitigationExpirations());
And it solves but i am not sure about impacts

ipobeidi · May 27, 2025, 3:31pm

JKust noted that is complaining about the Roles, did you initialized the List?

pattabhi · May 27, 2025, 11:45pm

You’re right to be cautious about adding.

"Hibernate.initialize(identity.getMitigationExpirations()); "

Monitor Performance: After implementing this, closely monitor the execution time of your SOD policy task and the overall performance of your IdentityIQ instance (database CPU, memory, task queue depth). If you see a significant slowdown or resource spike, you might need to revert and escalate to SailPoint support.

Forcing initialization within your rule is often a band-aid rather than the ideal solution.
(or)
Forcing initialization might mask it rather than truly resolving it.

When is Hibernate.initialize() Acceptable?
Hibernate.initialize() is acceptable when: You absolutely need that specific collection immediately after loading the object and before the session might close.
The performance impact is negligible (e.g., your task processes only a very small number of identities, or the collection itself is almost always empty or very small).

Re-evaluate the "LockInfo" error:
2025-05-26T21:30:33,579 ERROR QuartzScheduler_Worker-1 sailpoint.object.LockInfo:448 - class sailpoint.object.Identity reached end of Refresh without lock: E909441

The above error message is very concerning. It implies that the Identity object E909441 (the one causing the LazyInitializationException) wasn’t handled correctly during its refresh lifecycle, specifically regarding its lock. This could indicate a problem with how IdentityIQ processes that specific identity, possibly due to corrupted data, a stuck process, or a bug.

Manual Refresh: Try running a standalone Identity Refresh task for only this specific identity:E909441
Does it complete successfully without the LazyInitializationException or the LockInfo error?

Consider SailPoint Support:
If the LockInfo error and LazyInitializationException persist for this identity, and especially if it occurs for multiple identities, this warrants a support ticket with SailPoint.

paul_hilchey · May 28, 2025, 4:42am

What arguments are you setting on the task? Can you share the task definition?

RIsidoro · May 28, 2025, 9:57am

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE TaskDefinition PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<TaskDefinition created="1747990598922" id="0a0bd24e96f41e618196fc5bd50a15d8" modified="1748425810899" name="Refresh Identity Cube - Remove AttAssignments" resultAction="Rename" subType="task_item_type_identity" type="Identity">
  <Attributes>
    <Map>
      <entry key="TaskDefinition.runLengthAverage" value="2"/>
      <entry key="TaskDefinition.runLengthTotal" value="163"/>
      <entry key="TaskDefinition.runs" value="81"/>
      <entry key="TaskSchedule.host"/>
      <entry key="checkHistory" value="false"/>
      <entry key="checkPolicies" value="true"/>
      <entry key="correlateEntitlements" value="true"/>
      <entry key="correlateScope" value="false"/>
      <entry key="deleteDormantGroups" value="false"/>
      <entry key="disableIdentityProcessingThreshold" value="false"/>
      <entry key="disableManagerLookup" value="false"/>
      <entry key="doManualActions" value="false"/>
      <entry key="enableManualAccountSelection" value="false"/>
      <entry key="enablePartitioning" value="false"/>
      <entry key="excludeInactive" value="false"/>
      <entry key="filterNeedsRefresh" value="false"/>
      <entry key="forceWorkflow" value="false"/>
      <entry key="includeWindowModified" value="false"/>
      <entry key="keepInactiveViolations" value="false"/>
      <entry key="markDormantScopes" value="false"/>
      <entry key="noAutoCreateScopes" value="false"/>
      <entry key="noMaintenanceWindowRetry" value="false"/>
      <entry key="noResetNeedsRefresh" value="false"/>
      <entry key="noRoleDeprovisioning" value="false"/>
      <entry key="preRefreshRule" value="icc-refresh-removeAttAssignments"/>
      <entry key="processTriggers" value="false"/>
      <entry key="promoteAttributes" value="true"/>
      <entry key="promoteManagedAttributes" value="false"/>
      <entry key="provision" value="true"/>
      <entry key="refreshCompositeApplications" value="false"/>
      <entry key="refreshGroups" value="false"/>
      <entry key="refreshIdentityEntitlements" value="false"/>
      <entry key="refreshManagerStatus" value="true"/>
      <entry key="refreshRoleMetadata" value="false"/>
      <entry key="refreshScorecard" value="false"/>
      <entry key="synchronizeAttributes" value="false"/>
      <entry key="taskCompletionEmailNotify" value="Disabled"/>
      <entry key="taskCompletionEmailRecipients"/>
      <entry key="taskCompletionEmailTemplate"/>
    </Map>
  </Attributes>
  <Description>Perform a full refresh of all the identities.</Description>
  <Parent>
    <Reference class="sailpoint.object.TaskDefinition" id="8a8b51e272cc4d830172cc50186001b0" name="Identity Refresh"/>
  </Parent>
</TaskDefinition>

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Rule PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<Rule created="1747990571642" id="0a0bd24e96f41e618196fc5b6a7a15d5" language="beanshell" name="icc-refresh-removeAttAssignments">
  <Signature>
    <Inputs>
      <Argument name="log" type="org.apache.commons.logging.Log">
        <Description>
          The log object associated with the SailPointContext.
        </Description>
      </Argument>
      <Argument name="context" type="sailpoint.api.SailPointContext">
        <Description>
          A sailpoint.api.SailPointContext object that can be used to query the database if necessary.
        </Description>
      </Argument>
    </Inputs>
  </Signature>
  <Source>
import sailpoint.object.Identity;

import java.util.ArrayList;

if (identity instanceof sailpoint.object.Identity) {
    identity.setAttributeAssignments(new ArrayList());
    context.saveObject(identity);
}


  </Source>
</Rule>

RIsidoro · May 29, 2025, 9:28am

Until now, only the Hibernate.initialize(identity.getMitigationExpirations()); worked
Alredy try to do everything you said