Multi-Valued attribute in provisioning plan - not working

jrossicare · January 9, 2024, 11:53pm

Hello,

I have a Web Services source and can aggregate accounts successfully.
I created a Provisioning Plan/Policy and it is working for single-value String attributes, but it is not working (parsing) multi-valued attributes. It is only getting the first value.

Any idea what I am missing or how I can get it to work?

Thank you

Details:

My Provisioning Policy POST /beta/sources/<sourceID>/provisioning-policies

...        
"usageType": "UPDATE",
"fields": [
             {
                "name": "companyName",
                "transform": {
                    "type": "accountAttribute",
                    "attributes": {
                        "attributeName": "companyName",
                        "sourceName": "mySource"
                    }
                },
                "attributes": {},
                "isRequired": true,
                "type": "string",
                "isMultiValued": false
            },
            {
                "name": "roles",
                "transform": {
                    "type": "accountAttribute",
                    "attributes": {
                        "attributeName": "roles",
                        "sourceName": "mySource"
                    }
                },
                "attributes": {},
                "isRequired": true,
                "type": "string",
                "isMultiValued": true
            }
       ]

In my Before Operation connector rule:

for (AccountRequest accReq : Util.iterate(provisioningPlan.getAccountRequests())) {
    for (ProvisioningPlan.AttributeRequest attReq : Util.iterate(accReq.getAttributeRequests())) {
        log.error(logPrefix + "attReq: " + attReq.getName() + " => " + attReq.getValue() + " (" + attReq.getValue().getClass() + ")");
    }

Looking at the account in IDN - GET beta/accounts/<accountID>

        "companyName": "myCompany",
        "roles": [
            "my_role:18",
            "my_role:33",
            "my_role:23"
        ]

In the ccg.log, I can see companyName (type String), but roles I see only the first value (printed out by the Before Operation rule)

"WSBO - attReq: companyName => myCompany (class java.lang.String)"
"WSBO - attReq: roles => my_role:18 (class java.lang.String)"

Santhakumar · January 10, 2024, 12:59am

Hi @jrossicare I think you have to mark the role attribute as multivalued in account schema. Please let me know if it’s work. Thanks.

jrossicare · January 10, 2024, 1:16am

Hi Shantha

I have it marked in the account schema as multi-valued, but the type there is “role” (not string) as it is an entitlement type. I wonder if that would make a difference - it shouldn’t I would think

jrossicare · January 10, 2024, 1:26am

Hi Shantha

I tried it out with attribute of type ‘string’ and having multi-valued checked in account schema. It is still passing the first value only.

Thanks for the suggestion. Good to rule out possibilities.

jesvin90 · January 10, 2024, 1:30pm

Hi Jason,

Looks like you are missing the cloudDelimiter attribute in the JSON.

You will need to specify how the delimited values are parsed :

This is how the account profile would look like :

jrossicare · January 10, 2024, 10:05pm

Thanks @jesvin90 I will give that a go

Aus10GatPNB · January 17, 2024, 2:33am

Hi @jesvin90,

Where does

 "attributes": {
                "cloudDelimiter": ","
            }

go? In the provisioning policy?

Aus10GatPNB · January 17, 2024, 2:36am

I hope I’m not delivering bad news because I have the exact use case but the transforms page does give caution to using account attribute type in provisioning policies

jrossicare · January 17, 2024, 2:47am

Hi Austin,

I can use account attributes in the provisioning policy - just not multi-valued attributes.

Single valued all work fine.

Arshad · January 17, 2024, 8:20am

@jrossicare, has the solution from Jesvin worked for you by any chance?
If yes, can you detail out on how?

Aus10GatPNB · January 17, 2024, 1:36pm

Right. I haven’t got multivalued to work either. Just pointing out that SailPoint has a warning against using accountAttribute in provisioning, even though it does appear to work for single value attributes.

Aus10GatPNB · January 17, 2024, 8:25pm

Pass Non-Provisioned Attributes from Before Provision rule to Connector Rules - Blog / Blog Posts - SailPoint Developer Community Forum

Check out Scenario #3 regarding the use case for WebService Connector

I was planning go this route and happen to come across this article. Fingers crossed.

jrossicare · January 17, 2024, 10:11pm

Hi Arshad,
No, it didnt work for me.

The way I have currently got it working is to use a WebServicesClient from within the Before Operation connector rule, to connect to IDN and read the account

I based this on the work by Fernando in Reverse entitlement aggregation for Web Services connector - IdentityNow (IDN) / IDN Show and Tell - SailPoint Developer Community Forum

Excuse my terrible coding, but this is the relevant part

String getJSONEntitlements(String url, String accessToken, String appId, String nativeId) throws Exception {
    //log.error(logPrefix + "WSlookup - start getJSONEntitlements");
    WebServicesClient client = new WebServicesClient();
    Map args = new HashMap();
    Map header = new HashMap();
    List allowedStatuses = new ArrayList();
    String request = String.format("%s/beta/accounts?filters=sourceId eq \"%s\" and nativeIdentity eq \"%s\"", url, appId, nativeId);
    log.error(logPrefix + "WSlookup - request: " + request);
    args.put(WebServicesClient.ARG_URL, request);
    header.put("Authorization", String.format("Bearer %s", accessToken));
    allowedStatuses.add("200");
    client.configure(args);
    try {
        String response = client.executeGet(request, header, allowedStatuses);
        //log.error(logPrefix + "WSlookup - getJSONEntitlements - returning response");
        return response;
    } catch (Exception e) {
        throw new Exception(String.format("WSlookup Entitlements collection call failed: %s", e.getMessage()));
    }
}


JsonArray roles33 = new JsonArray();
String nativeIdentity = accReq.getNativeIdentity();
log.error(logPrefix + "Looking up existing roles and groups of user: " + nativeIdentity);
String idnAccount = getJSONEntitlements(IDN_URL, ACCESS_TOKEN, APP_ID, nativeIdentity);
JsonParser parser = new JsonParser();
JsonArray jsonArray2 = parser.parse(idnAccount).getAsJsonArray();
JsonObject idnAccountJson = jsonArray2.get(0).getAsJsonObject();
//log.error(logPrefix + "idnAccountJson: " + idnAccountJson.toString());
JsonObject attributes = idnAccountJson.getAsJsonObject("attributes");
roles33 = attributes.getAsJsonArray("roles");

system · March 17, 2024, 10:11pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Multivalued attribute sync ISC Discussion and Questions identity-security-cloud	2	786	July 19, 2023
Web Services Source \| Multi-Valued Attribute Aggregation Issue ISC Discussion and Questions	3	1164	July 19, 2023
Passing provisioning plan into web services beforeOperationRule ISC Discussion and Questions webservice-connector , identity-security-cloud , provisioning	2	505	October 30, 2023
Provisioning Completed workflow Filter ISC Discussion and Questions workflows , identity-security-cloud	6	360	February 12, 2024
WebService connector does not aggregate multi valued attributes on 2nd call IdentityIQ (IIQ)	1	1232	June 14, 2022

Multi-Valued attribute in provisioning plan - not working

Related topics