Multiple values are passing from Sailpoint to Active Directory

Venu1010 · August 27, 2024, 4:36am

Hi All,

Hope all doing good. I am working on a project (Robotic ID creation) where ID should be created on AD from SailPoint IIQ automatically with some attributes(with License assignment) . We have created a new Quick Link and Form. As per the business requirement, we have created a plan and sending attribute values from workflow. But some attributes are sending twice from Sailpoint to AD. One from Provisioning form(policy) which was already configured during AD integration and one from our plan which we have created for this particular project. Therefore we are getting an error sating “Exception occurred while executing the RPCRequest: Errors returned from IQService. Unable to cast object of type ‘System.Collections.ArrayList’ to type ‘System.String’… HRESULT:[0x80004002]”.

The main agenda is to send attribute values from only plan( No duplicate). Could you please anyone help here to stop sending values from provisioning policies and send them from plan.

Note : We are trying to capture “current” values in provisioning policies, but no luck.

Please find the attachments or your reference

.

Quick help here will really be appreciated.

Thank you.

Regards,
Venu

ankush-shirbhate · August 27, 2024, 4:46am

if you have the provision policy in place in that case why you are creating the provision plan from workflow?

If there are some specific or additional attribute needs to be provision as a part of this project then you should prepare only those from workflow.

Venu1010 · August 27, 2024, 4:52am

Great question :). They are assigning default License from Provisioning Policies(PP) for regular users using extensionAttribute1 attribute. But for “Digital Worker/Robotic ID Users” License will be assigned based on details filled by user in the form. The examples are below.

Note : extensionAttribute1 is already in use in PP. Please advise

e) Do you need MS Office Suite? Y or N
Question: If Y/N, what value [value] needs to be sent to the [attribute] attribute in Active Directory.?
f) Do you need Email? Y or N
Question: If Y/N, what value [value] needs to be sent to the [attribute] attribute in Active Directory.?

YY → EA1 - M365-LICENSE:E3-EXO
YN → EA1 - M365-LICENSE:E3-AFE
NY → EA1 - M365-LICENSE:EXOP2
NN → EA1 – null && Identity attribute Employee type = “nonotes”

I hope I answered your question. Thanks.

Regards,
Venu

Venu1010 · August 27, 2024, 5:00am

++Addition to above

We have to overwrite extensionAttribute1 and employeeType to “DigitalWorker” instead of “PSTD” in Provisioning Policies(PP). Please advise. Thanks.

Arun-Kumar · August 27, 2024, 5:43am

Hi @Venu1010 ,

In the provisioning policy, add a condition as follows: if the account is a bot account, then set the extensionAttribute1 and employeeType to an empty string. You can refer to the provided code and develop the logic according to your specific requirements.

 <Field displayName="License" name="extensionAttribute1" type="string">
          <Script>
            <Source>
            import org.apache.commons.lang.StringUtils;
     		import  sailpoint.object.ProvisioningPlan.AccountRequest;
  			import sailpoint.object.ProvisioningPlan.AttributeRequest;
				import sailpoint.object.ProvisioningPlan;
              

			if(null != accountRequest &amp;&amp; void != accountRequest)
  			{		
                       
						if(bot account){
						
						   return "";
						}

			}
			return "license";   //  
		
        </Source>
          </Script>
        </Field>

It will take the values from provisioning plan.

Regards,
Arun

Venu1010 · August 27, 2024, 5:51am

They are not validating employeeType for Digital IDs in Provisioning Policies(PP).
I think first we have to validate that before sending extensionAttribute1 value.

Please find the screenshot below for reference.

iamksatish · August 27, 2024, 6:21am

@Venu1010

Handle this in your before provisioning Rule, do this way.

Add a dummy AttributeRequest in your worklfow lets say with name “botRequest” and value as “yes”

In your before provisioning Rule check if this attribute Request exists, if this exists , remove the extensionAttribute1 values coming from provisioning policy and set it as per your form values and set the AttributeRequest of extensionAttribute1 accordingly

Make sure you remove the Dummy AttributeRequest from plan before the returning the plan.

Arun-Kumar · August 27, 2024, 6:36am

update the employeeType and extensionAttribute1 logic in provisioning policy to set the empty string for bot account.

        <Field displayName="employeeType" name="employeeType" type="string">
          <Script>
            <Source>
         
        import org.apache.commons.lang.StringUtils;
		import  sailpoint.object.ProvisioningPlan.AccountRequest;
  		import sailpoint.object.ProvisioningPlan.AttributeRequest;
		import sailpoint.object.ProvisioningPlan;
     
        if(null != accountRequest &amp;&amp; void != accountRequest)
  		{
		
		    String nativeIdentity = accountRequest.getNativeIdentity();
     		if(null != nativeIdentity &amp;&amp; !nativeIdentity.isEmpty())
    		{
		    if(nativeIdentity.toLowerCase().startsWith("cn=dw")){
			 return "";
			
			}
         }
}		 
         String employeeType = identity.getAttribute("EMPLOYEE_TYPE");
         return employeeType;
    	
        </Source>
          </Script>
        </Field>

 <Field displayName="license" name="extensionAttribute1" type="string">
          <Script>
            <Source>
         
        import org.apache.commons.lang.StringUtils;
		import  sailpoint.object.ProvisioningPlan.AccountRequest;
  		import sailpoint.object.ProvisioningPlan.AttributeRequest;
		import sailpoint.object.ProvisioningPlan;
     
        if(null != accountRequest &amp;&amp; void != accountRequest)
  		{
		
		    String nativeIdentity = accountRequest.getNativeIdentity();
     		if(null != nativeIdentity &amp;&amp; !nativeIdentity.isEmpty())
    		{
		    if(nativeIdentity.toLowerCase().startsWith("cn=dw")){
			 return "";
			
			}
         }
}		 

         return "license";   //replace the logic with actual license for normal user
    	
        </Source>
          </Script>
        </Field>

Venu1010 · August 28, 2024, 12:37pm

Hi All,

I want do Auditing for Robotic ID creation. Please advise that Audit using call method or Audit by calling Identity Request Finalize sub process is better?

If you have any sample for it. could you please share with us.

Thank you.

Regards,
Venu

Arun-Kumar · August 28, 2024, 5:39pm

Hi

Add an additional step in your workflow to capture the audit. During this step, generate an audit event.

   import sailpoint.server.Auditor;
        import sailpoint.object.AuditEvent;

        String auditAction = "Robotic ID creation Request Submitted";

        AuditEvent event = new AuditEvent();
        event.setAction(auditAction);
        event.setSource(source);
        event.setTarget(target.getName());
        event.setString1(owner);
        event.setString2();
        Auditor.log(event);
        context.commitTransaction();

Venu1010 · August 29, 2024, 8:38am

system · October 28, 2024, 8:39am

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Access Request for two different domain IIQ Discussion and Questions identityiq , provisioning , entitlements	8	256	May 24, 2024
Passing values into Field Value rules IIQ Discussion and Questions rules , identityiq , provisioning	3	475	May 14, 2024
Failed provisioning of identity in Active Directory IIQ Discussion and Questions aggregation , identityiq , provisioning	6	326	June 2, 2024
Provisioning Active directory account (Account Creation) using a rule IIQ Discussion and Questions rules , identityiq , provisioning	6	2234	December 22, 2023
IIQ 8.4 JDBC Connector, null value for the Identity Attribute during Creation (Joiner) IIQ Discussion and Questions identityiq , provisioning , jdbc-connector	4	735	March 8, 2024

Multiple values are passing from Sailpoint to Active Directory

Related topics