Nested account provisioning queries assistance

Identity Security Cloud (ISC) ISC Discussion and Questions
1

Hi everyone,
I’m working on a search query to analyze account activity, specifically focusing on a designated source and particular attribute requests.

Objective

I want to retrieve all account activity for the source “SOURCE_EXAMPLE” where at least one attribute request includes an operation called “Remove” with the value “SPECIFIC_VALUE.”

Current Issue

The following query successfully returns results when there is only one attribute request:

@accountRequests(source.name:"SOURCE_EXAMPLE" AND attributeRequests.op:"Remove" AND attributeRequests.value:"SPECIFIC_VALUE")

However, it fails when the account activity contains an array of attribute requests.

Attempted Solution

To address this, I tried nesting the query:

@accountRequests(source.name:"SOURCE_EXAMPLE" AND @attributeRequests(op:"Remove" AND value:"SPECIFIC_VALUE"))

Unfortunately, this approach doesn’t produce the desired results; it always returns an empty list. However, when attempting this solution with the POST /v3/search endpoint, I am receiving a 400 Bad Request error, accompanied by the following response body:

{
    "detailCode": "400.1.3 Illegal value",
    "trackingId": "00a7872f7d184f8ebb6086ade6dd839b",
    "messages": [
        {
            "locale": "en-US",
            "localeOrigin": "DEFAULT",
            "text": "Illegal value \"attributeRequests\" for field \"nested keyword\"."
        },
        {
            "locale": "und",
            "localeOrigin": "REQUEST",
            "text": "Illegal value \"attributeRequests\" for field \"nested keyword\"."
        }
    ],
    "causes": []
}

Request for Assistance

What strategies can I implement to ensure that I fetch results when one or more “Remove” operations are present at the attribute request level?

Thank you!
Best regards.

2

@bernardo-camargo
Your search query will give the 400 Bad Request bcz the query is invalid. For accountRequest Operation we have the following only:
1. create
2. modify
3. lock
4. unlock
5. enable
6. disable
7. delete
Please refer the shared link: Searchable Fields - SailPoint Identity Services

Instead of the query that you have tried use the below query and lmk if this works.

@accountRequests(source.name:“SOURCE_EXAMPLE”) AND attributeRequests.op:“delete” AND attributeRequests.value:“SPECIFIC_VALUE”

Thanks,
Shantha Kumar

3

I have used this query for monitoring the provisioning activities in PRD & SBX. It’s works for me. Pls give it a try.

4

Hi @bernardo-camargo ,

There is no nested object called “@attributeRequests()”. In order to filter based on attributerequest level you can add them by separating OR operator in the search query as shown below

@accountRequests(source.name:"source name" AND attributeRequests.op:"Remove"  AND (attributeRequests.value.exact:"Admin" OR attributeRequests.Value.exact:"User"))

If you want to filter the query result objects then search v3 api is the route, you can use inner hit query, where you can filter the result of returned output from the original query.

image
image1858×689 111 KB

5

Hi Shantha,

It looks like the property values you mentioned refer to the op field directly from @accountRequests, rather than the attributeRequests.op. As noted in the official documentation, attributeRequests.op can only contain the values: add, set, and remove:

The operation for an individual attribute that must be edited. This might be add, set, or remove.

The issue I’m encountering involves the nested field attributeRequests, which is an array. I’ve noticed that the IdentityNow search returns incorrect results when attempting to match properties within attributeRequests.

6

Hi Vijay,

The query you provided returns all account activities that include a remove operation for any value, as well as any other operation associated with the values Admin or User. However, it seems that the AND relationship is not being respected when the @accountRequest contains multiple attributeRequests.

This discrepancy might be causing the results to include activities that don’t meet both conditions simultaneously. Do you have any suggestions on how to refine the query to enforce the intended logic?

Thank you!

7

I have tried the query you have given in this post. I can able to get the search results.

@accountRequests(source.name:“SOURCE_EXAMPLE” AND attributeRequests.op:Remove AND attributeRequests.value:“SPECIFIC_VALUE”)

QQ: Does the value you are searching is contains array that’s you are saying right?

8

Actually, it’s not the value that is an array; rather, the object attributeRequests can contain one or more objects, such as:

[
  {
      "op": "Remove",
      "name": "assignedRoles",
      "value": "ROLE_NAME"
  },
  .
  .
  .
]

When an @accountRequest contains multiple objects within attributeRequests, the search fails to filter the results correctly. It appears to ignore the AND condition specified in the query.

9

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.