Which IIQ version are you inquiring about?
Version 8.3
Share all details related to your problem, including any error messages you may have received.
Hello Everyone,
We are developing an Advanced Policy which should launch a Workflow when a condition is violated. In our scenario, we are trying to add a role to an identity if all conditions are met. In the Advanced Policy, we are assigning it a rule which checks the necessary conditions. If the conditions are not met, a violation should be thrown and ServiceNow should throw a policy violation and not allow the role to be added to an Identity.
Our issue right now is that we see that the policy is violated through the logs and that the Policy Violation object was created with the associated identity, however, on the ServiceNow UI it says “Policy Check completed Successfully” when it should throw an error.
I have added some screenshots to clarify:
In our Rule that’s added to our Advanced Policy:
boolean violates = false;
if (condition violates){
log.debug(“THIS ROLE SHOULD VIOLATE”);
violates = true;
} else {
log.debug("THIS ROLE SHOULD NOT VIOLATE");
}
log.debug("Generating Policy Violation");
PolicyViolation pv = new PolicyViolation();
pv.setIdentity(identity);
pv.setPolicy(policy);
pv.setConstraint(constraint);
pv.setStatus(sailpoint.object.PolicyViolation.Status.Open);
pv.setActive(true);
log.debug("returning violation below:");
log.debug(pv.toXml());
return pv;
}
log.debug(“CIBC_Dynamic_Policy_Check_Rule1 Ends Here”);
The logs look like this:
2024-01-23 11:14:25,881 DEBUG default task-988 CIBC_Dynamic_Policy_Check_Rule1:-1 - THIS ROLE SHOULD VIOLATE
2024-01-23 11:14:25,882 DEBUG default task-988 CIBC_Dynamic_Policy_Check_Rule1:-1 - violates:true
2024-01-23 11:14:25,882 DEBUG default task-988 CIBC_Dynamic_Policy_Check_Rule1:-1 - Generating Policy Violation
2024-01-23 11:14:25,883 TRACE default task-988 sailpoint.WorkflowTrace:216 - Step result variable: policyViolations
2024-01-23 11:14:25,884 TRACE default task-988 sailpoint.WorkflowTrace:216 - null
2024-01-23 11:14:25,884 TRACE default task-988 sailpoint.WorkflowTrace:216 - Ending step Check Policies
2024-01-23 11:14:25,884 TRACE default task-988 sailpoint.WorkflowTrace:216 - Starting step Modify Violation Result
2024-01-23 11:14:25,894 TRACE default task-988 sailpoint.WorkflowTrace:216 - Step result variable: modifiedPolicyViolations
2024-01-23 11:14:25,894 TRACE default task-988 sailpoint.WorkflowTrace:216 - null
2024-01-23 11:14:25,894 TRACE default task-988 sailpoint.WorkflowTrace:216 - Ending step Modify Violation Result
2024-01-23 11:14:25,895 TRACE default task-988 sailpoint.WorkflowTrace:216 - Starting step Update Custom Object - Remove MapID
2024-01-23 11:14:25,909 TRACE default task-988 sailpoint.WorkflowTrace:216 - Ending step Update Custom Object - Remove MapID
2024-01-23 11:14:25,910 TRACE default task-988 sailpoint.WorkflowTrace:216 - Starting step Audit End
2024-01-23 11:14:25,944 TRACE default task-988 sailpoint.WorkflowTrace:216 - Ending step Audit End
2024-01-23 11:14:25,945 TRACE default task-988 sailpoint.WorkflowTrace:216 - Starting step end
2024-01-23 11:14:25,945 TRACE default task-988 sailpoint.WorkflowTrace:216 - Ending step end
2024-01-23 11:14:25,945 TRACE default task-988 sailpoint.WorkflowTrace:216 - Ending workflow CIBC_API_Identity_Request_Violation_Review
Even though it shows that the Policy violation was generated, ServiceNow still shows the following message:
Policy Violation Verification: There is no policy violation