Native identity is neither present in the plan nor in the response in IIQ

IdentityIQ (IIQ) IIQ Community Knowledge Base
,
1

Hi All,

In this one I will discuss one important use case and error that we get while provisioning an account to the target application.

Consider there is an application that contains the schema UserID as an Identity Attribute and UserName as a Display Attribute. So, when SailPoint is creating an account link, IIQ sets the native identity with the value we have in UserID while aggregating. The UserID contains a unique value and is getting generated whenever a new record/account is created at their side. They have internal logic, and that is the only attribute that is unique for the application side.

Now, I am provisioning an account with any operation like manage account, manage user access, or role. I have a set of account attributes defined in the create provisioning policy form, like firstName and lastName etc. Among them, UserID is missing, and we don’t have the value we have to pass as part of creation because this UserID value will be generated dynamically once the account or record is created in the application. So, now if you try to create the account without the value, then SailPoint will throw the error called “Native identity is neither present in the plan nor in the response”.

image
image2954×1118 152 KB

Which means there is a native identity missing in the plan generated while creating the account. It is expecting to have the native identity in the plan to compile and execute it. So, set the native identity explicitly using the before provisioning rule of the application to AccountRequest which is added to plan in the rule.

  import sailpoint.object.ProvisioningPlan.AccountRequest;
  import sailpoint.object.ProvisioningPlan.AccountRequest.Operation;
  import sailpoint.object.ProvisioningPlan.AttributeRequest;
  import sailpoint.object.ProvisioningPlan.ObjectOperation;
  import sailpoint.object.ProvisioningPlan.Operation;
 
  List accRequests = plan.getAccountRequests( application.getName() );
  for ( AccountRequest accReq : accRequests )
  {
    //setting the nativeidentity while creating account
    if ( accReq.getOp() == ObjectOperation.Create  )
    {
      if(null == accReq.getNativeIdentity()){
        AttributeRequest emailAddReq = accReq.getAttributeRequest("UserName");
        String nativeId = emailAddReq.getValue(context);
        accReq.setNativeIdentity(nativeId);
        plan.add(accReq); // you can comment this line. Not an issue.
      }
    }
  }

Basically, what this rule does is check while creating an account if the AccountRequest is having a native identity or not. If not, then set the native identity (with userName in my case, it maybe vary in your case.) AccountRequest.

The account will be created without any error now. After account creation is done, in the next aggregation task, SailPoint will be taking care to set the UserID as a native identity instead of userName because by that time in the native application, the UserID has been generated, and SailPoint will override it with that value in the link.

3 Likes
2

Hi @bhanuprakashkuruva ,

I tried using this code before provisioning rule, Native Identity warning is not coming but duplicate accounts being created.

In my case, in CREATE payload username i am sending and that is being used in application as id and returning response UUID which is not there allUsers API.

while aggregating they are using id as NativeIdentity(which is we are sending in CREATE payload (username)).

FYI,.getUser(single User) API also uses username to get the user info

how to avoid duplicate account creation.

CREATE request:
{username:abc,..email:abc@test.com,phoneNumber:121313}

CREATE response:

{uuid:32178212913}

allUsers API response:

{id:abc, ..active:active,email:abc@test.com}

3

I’d populate the native identity via the response that comes back from the connector in an after provisioning rule

4

Let me explain , in application schema i have id, email, status, phoneNumber which are present in getAllUsers API.

When i do CREATE with the payload by sending all the details username, name, email, phoneNumber..etc. In the response they are sending uuid(GUID of the user) which is not used in application schema attributes as they are not sending uuid in the getallUsers API response.

nativeIdentity is id and it is nothing but username which we are sending in CREATE payload.

I tried adding that username to accReq from plan. “Native identity is neither present in the plan nor in the response” this warning is not coming now but two accounts being created in identity.

how to avoid this?

5

2 accounts created at application side or just in iiq?

6

in iiq only.

while updating account, only account is being updated

7

i have few questions:
are you trying create account from Manage accounts?
is user allowed to request multiple account for this application?

8

No, actually i am trying using custom provisioning plan code.

9

so even if you try for a new user 2 account get created for one API call?

10

Yes

While updating one account is being updated which is having last refresh date

image

11

you can verify plan in before prov rule. there should be only 1 account request.

12

@aakashpandita

this is the code i am using in before prov rule

import sailpoint.object.ProvisioningPlan.AccountRequest;
import sailpoint.object.ProvisioningPlan.AccountRequest.Operation;
import sailpoint.object.ProvisioningPlan.AttributeRequest;
import sailpoint.object.ProvisioningPlan.ObjectOperation;
import sailpoint.object.ProvisioningPlan.Operation;

List accRequests = plan.getAccountRequests(application.getName());
for (AccountRequest accReq : accRequests)
{
//setting the nativeidentity while creating account
if (AccountRequest.Operation.Create.equals(accReq.getOperation()))
{
if(null == accReq.getNativeIdentity())
{
AttributeRequest userName = accReq.getAttributeRequest(“username”);
if(userName != null && userName.getValue() != null){
String nativeId = userName.getValue();
accReq.setNativeIdentity(nativeId);
}
}
}
}

log.error(“The before plan is:::”+plan.toXml());

13

can you share what the plan is getting printed at last

15

before plan.txt (1.2 KB)

16

It is one Account request only i just added native Identity to avoid this warning “Native identity is neither present in the plan nor in the response”

17

<ProvisioningResult status="committed"/>

why is the above line coming in plan. this line generally comes in after provisioning Rule once status is commited.
are you getting this in before prov rule?

18

@aakashpandita ,

Sorry for the wrong plan i sent. please check now in the attached file

before plan.txt (1.2 KB)