Hi All,
In this one I will discuss one important use case and error that we get while provisioning an account to the target application.
Consider there is an application that contains the schema UserID as an Identity Attribute and UserName as a Display Attribute. So, when SailPoint is creating an account link, IIQ sets the native identity with the value we have in UserID while aggregating. The UserID contains a unique value and is getting generated whenever a new record/account is created at their side. They have internal logic, and that is the only attribute that is unique for the application side.
Now, I am provisioning an account with any operation like manage account, manage user access, or role. I have a set of account attributes defined in the create provisioning policy form, like firstName and lastName etc. Among them, UserID is missing, and we don’t have the value we have to pass as part of creation because this UserID value will be generated dynamically once the account or record is created in the application. So, now if you try to create the account without the value, then SailPoint will throw the error called “Native identity is neither present in the plan nor in the response”.
Which means there is a native identity missing in the plan generated while creating the account. It is expecting to have the native identity in the plan to compile and execute it. So, set the native identity explicitly using the before provisioning rule of the application to AccountRequest which is added to plan in the rule.
import sailpoint.object.ProvisioningPlan.AccountRequest;
import sailpoint.object.ProvisioningPlan.AccountRequest.Operation;
import sailpoint.object.ProvisioningPlan.AttributeRequest;
import sailpoint.object.ProvisioningPlan.ObjectOperation;
import sailpoint.object.ProvisioningPlan.Operation;
List accRequests = plan.getAccountRequests( application.getName() );
for ( AccountRequest accReq : accRequests )
{
//setting the nativeidentity while creating account
if ( accReq.getOp() == ObjectOperation.Create )
{
if(null == accReq.getNativeIdentity()){
AttributeRequest emailAddReq = accReq.getAttributeRequest("UserName");
String nativeId = emailAddReq.getValue(context);
accReq.setNativeIdentity(nativeId);
plan.add(accReq); // you can comment this line. Not an issue.
}
}
}
Basically, what this rule does is check while creating an account if the AccountRequest is having a native identity or not. If not, then set the native identity (with userName in my case, it maybe vary in your case.) AccountRequest.
The account will be created without any error now. After account creation is done, in the next aggregation task, SailPoint will be taking care to set the UserID as a native identity instead of userName because by that time in the native application, the UserID has been generated, and SailPoint will override it with that value in the link.