LogiPlex - Error on CompositeRemediation

brunoocarvalho · May 23, 2024, 1:40pm

Which IIQ version are you inquiring about?

Version 8.3

Share all details related to your problem, including any error messages you may have received.

Hello,

I’ve been testing the LogiPlex connector, and I’m getting an error on the CompositeRemediation Rule for Access Request for entitlements of Sub-Applications.

I converted the AD application to LogiPlex and created a new Sub-Application with the LogiPlex connector. The CompositeRemediation works for operations involving only AD, and the groups belonging to the Sub-Application seem to be fine.

But when I try to make an Access Request for an Entitlement of the Sub-Application, I get the following error:

The CompositeRemediation rule validates the operation being made and, at the end, makes the following call:

ProvisioningPlan newPlan = ((LogiPlexConnector) connector).runDefaultProvisioningMergeLogic(plan, plan, identity, true, masterConnector);

I checked the variables passed to the method, and none of them are null. Do you have any idea why the NullPointException is being thrown?

Edit: As requested, here is the full rule:

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Rule PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<Rule language="beanshell" name="Rule-CompositeRemediation-ADLogiplex" type="CompositeRemediation">
    <Description>This rule is called when provisioning needs to be performed against logical accounts. It gets the plan built up by the plan compiler and the rule needs to return a list of Plans to fan out the request across all tiers.</Description>
    <Signature returnType="ProvisioningPlan">
        <Inputs>
            <Argument name="log">
                <Description>
                The log object associated with the SailPointContext.
                </Description>
            </Argument>
            <Argument name="context">
                <Description>
                A sailpoint.api.SailPointContext object that can be used to query the database if necessary.
                </Description>
            </Argument>
            <Argument name="application">
                <Description>
                The application associated with the connector.
                </Description>
            </Argument>
            <Argument name="identity">
                <Description>
                The Identity object that is going to be remediated.
                </Description>
            </Argument>
            <Argument name="plan">
                <Description>
                The ProvisioningPlan created against the logical application.
                </Description>
            </Argument>
        </Inputs>
        <Returns>
            <Argument name="provisioningPlan">
                <Description>
                A converted provisioning plan that targets the applications
                that make up the logical application.
                </Description>
            </Argument>
        </Returns>
    </Signature>
    <Source><![CDATA[
import sailpoint.object.ProvisioningPlan;										 
import sailpoint.api.IdentityService;
import sailpoint.api.SailPointContext;														
import sailpoint.object.ProvisioningPlan.AttributeRequest;
import sailpoint.object.ProvisioningPlan.ObjectRequest;
import sailpoint.object.ProvisioningPlan.ObjectOperation;
import sailpoint.object.ProvisioningPlan.AccountRequest;
import sailpoint.object.ProvisioningPlan.Operation;
import sailpoint.services.standard.connector.LogiPlexConnector;
import java.util.List;

log.error("[CompositeRemediation-ADLogiplex] Start");

List accountsReq = plan.getAccountRequests();
if (accountsReq!=null && !accountsReq.isEmpty()) {
	for(ProvisioningPlan.AccountRequest accReq : accountsReq){
		String accOperation = accReq.getOperation().toString();
        String accAppliation = accReq.getApplication();
        
        if("Delete".equals(accOperation)){
  			throw new Exception("Error, operation: "+accOperation+" is not allowed");
        } 
        
        if ("Create".equals(accOperation)){
        	if (masterApplication.getName().equals(accAppliation)){
  				throw new Exception("Error, operation: "+accOperation+" is not allowed");
            } else {
            	IdentityService iS = new IdentityService(context);
              	List idLinks = iS.getLinks(identity, masterApplication);
              	if (idLinks!=null && !idLinks.isEmpty()) {
					log.debug("Already has an account in the Master App.");
                } else {
                    throw new Exception("Error, operation: "+accOperation+" is not allowed");	
                }	
            }
        }
		
		if("Disable".equals(accOperation) || "Enable".equals(accOperation)){
  			throw new Exception("Error, operation: "+accOperation+" is not allowed");
		}
		
		if("Lock".equals(accOperation) || "Unlock".equals(accOperation)){
  			throw new Exception("Error, operation: "+accOperation+" is not allowed");
		}
		
		if("Modify".equals(accOperation)){
			List attributeReq = accReq.getAttributeRequests();
			for(ProvisioningPlan.AttributeRequest attReq : attributeReq){
				String attName = attReq.getName();
				if (!(attName.equals("memberOf") || attName.equals("accountExpires"))){
  					throw new Exception("Error, operation: "+accOperation+" is not allowed for "+attName+" attribute");
				}
			}
       	}
	}
}
ProvisioningPlan newPlan = ((LogiPlexConnector) connector).runDefaultProvisioningMergeLogic(plan, plan, identity, true, masterConnector);
return newPlan;
]]>    </Source>
</Rule>

kjakubiak · May 23, 2024, 2:45pm

It would be great if you could just paste the rule so we could take a look on that.

brunoocarvalho · May 23, 2024, 3:18pm

Hello @kjakubiak, I edited the post and added the rule.

kjakubiak · May 23, 2024, 3:51pm

Where does masterApplication comes from?

masterApplication.getName()

Looks like this one might be a nullpointer

brunoocarvalho · May 23, 2024, 4:14pm

The script reaches the line:

ProvisioningPlan newPlan = ((LogiPlexConnector) connector).runDefaultProvisioningMergeLogic(plan, plan, identity, true, masterConnector);

The null pointer comes from the call to the method runDefaultProvisioningMergeLogic.

I also checked the arguments passed to the method and none of them are null.

system · July 22, 2024, 4:15pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Get object in logiplex webservice connector doesn't receive nativeIdentity (provisioning logiplex rule) IIQ Discussion and Questions webservice-connector , identityiq	5	283	June 17, 2024
Entitlement Removal Manage Access Request is getting filtered in LogiPlex Connector implementation IIQ Discussion and Questions identityiq	6	39	December 8, 2024
IIQ Logical Application and LogiPlex IIQ Discussion and Questions identityiq , connectors	2	956	January 13, 2024
Get Operation Issue for the Logiplex WebService Connector IIQ Discussion and Questions webservice-connector , apis , identityiq	3	74	November 10, 2024
SailPoint IIQ: LogiPlex Connector IIQ Discussion and Questions identityiq , connectors	4	78	November 23, 2024

LogiPlex - Error on CompositeRemediation

Which IIQ version are you inquiring about?

Share all details related to your problem, including any error messages you may have received.

Related topics