PostJoiner Rule is not adding user to Role

IdentityIQ (IIQ) IIQ Discussion and Questions
, ,
1

Which IIQ version are you inquiring about?

*8.4p1

The post joiner rule on RapidSetup is getting triggered, but role assignment is not happening.

<?xml version='1.0' encoding='UTF-8'?> PostJoiner for Casper instead of joiner workflow import sailpoint.object.*; import sailpoint.object.Custom; import sailpoint.tools.Util; import sailpoint.tools.Message; import sailpoint.tools.GeneralException; import org.apache.log4j.Logger; import sailpoint.object.RoleAssignment; 
Identity pidentity = context.getObjectByName(Identity.class, identityName);
        pidentity.add(posixgroupRole);
        pidentity.addRoleAssignment(new RoleAssignment(posixgroupRole));
  context.saveObject(pidentity);
  context.commitTransaction();

When run on a user, I see TestHRMSBus role only which is provisioned via access request. I dont see posixRoleTest on the user profile in UI.

Here is the extract from debug page. Every time it is run, it adds a row to roleassignment list but no change on UI and no provisioning activity due to new role.

.
.
.
      <entry key="source" value="TestHRMS"/>
      <entry key="idvalue" value="firstname.lastname"/>
    </Map>
  </Attributes>
  <AssignedRoles>
    <Reference class="sailpoint.object.Bundle" id="ac1422c9919c1a5e8191bc4800bb59c2" name="TestHRMSBus"/>
    <Reference class="sailpoint.object.Bundle" id="000000008ef01a9e818f14b596915188" name="posixRoleTest"/>
  </AssignedRoles>
  <AttributeMetaDatas>
    <AttributeMetaData attribute="facilityState" source="TestHRMS:facility_state"/>
    <AttributeMetaData attribute="facilityType" source="TestHRMS:facility_type"/>
    <AttributeMetaData attribute="role" source="TestHRMS:role"/>
  .
  .
  .
  .
    </AttributeMetaDatas>
  <Preferences>
    <Map>
      <entry key="roleAssignments">
        <value>
          <List>
            <RoleAssignment assignmentId="c1d072a3d0d04b93858835e95f5bf741" date="1745835482787" roleId="ac1422c9919c1a5e8191bc4800bb59c2" roleName="TestHRMSBus" source="Rule"/>
            <RoleAssignment date="1745911466174" roleId="000000008ef01a9e818f14b596915188" roleName="posixRoleTest"/>
            <RoleAssignment date="1745917630339" roleId="000000008ef01a9e818f14b596915188" roleName="posixRoleTest"/>
            <RoleAssignment date="1745993558667" roleId="000000008ef01a9e818f14b596915188" roleName="posixRoleTest"/>
            <RoleAssignment date="1746157999106" roleId="000000008ef01a9e818f14b596915188" roleName="posixRoleTest"/>
          </List>
        </value>
      </entry>
    </Map>
  </Preferences>
  <RoleMetadatas>
    <Reference class="sailpoint.object.RoleMetadata" id="ac1422c9966711c181967be75f1977ad" name="TestHRMSBus"/>
  </RoleMetadatas>
2

To assign Role in IdentityIQ i would suggest to create a plan and launch LCM Provisioning workflow, Sample code:

    import sailpoint.object.Identity;
  import sailpoint.object.ProvisioningPlan;
  import sailpoint.object.ProvisioningPlan.AccountRequest;
  import sailpoint.object.ProvisioningPlan.AttributeRequest;
  import sailpoint.api.Provisioner;
  import sailpoint.api.Workflower;

  Identity pidentity = context.getObjectByName(Identity.class, identityName);

    ProvisioningPlan plan = new ProvisioningPlan();
    plan .setIdentity(pidentity);
    ProvisioningPlan plan = new ProvisioningPlan();
    AccountRequest accReq = new AccountRequest(AccountRequest.Operation.Modify, ProvisioningPlan.APP_IIQ, null, identityName);
    requestAccount.add(new AttributeRequest("assignedRoles", ProvisioningPlan.Operation.Add, "posixgroupRole" ));
    plan.add(requestAccount);
    
    // Creating WorkflowLaunch and setting values
    Workflow wf = (Workflow) context.getObjectByName(Workflow.class, "LCM Provisioning");

    HashMap launchArgsMap = new HashMap();
    launchArgsMap.put("launcher", launcher);
    launchArgsMap.put("identityName", identityName);
    launchArgsMap.put("plan", plan);

    Workflower workflower = new Workflower(context);

    if(wf != null) {
      WorkflowLaunch launch = workflower.launchSafely(wf, "posixgroupRole role assignment Workflow for - " + identityName, launchArgsMap);
    }
1 Like
3

Hi Dheeraj - Understood, and we are using Plan in few scenarios. Am not able to understand why identity.add or identity.addAssignedRole or identity.addRoleAssignment all fail.

4

Hello Vinil, this is falling because you’re adding the role to the Identity but you don’t send this to the external target system. You need to create a provisioning plan to have the entitlements in your external system.
Regards.

5

to reiterate what you said, identity.add will only add role on identity and will not provision any attached entitlement even after multiple refresh’s with Provision Entitlements?
If that is true, I should at least see the role on user profile.. I dont see it on the user in UI via Identity Warehouse
Only one role on UI while other assigned role is visible in identity xml multiple times

Screenshot 2025-05-02 at 4.03.40 PM
Screenshot 2025-05-02 at 4.03.40 PM1454Ă—206 16.8 KB

6

If you use a refresh after the assign by addRole via Script with the “Provision assignments” flag in true, the entitlment will be provided in the final system, but it’s not automatically. The correct way is assigning by provisioning plan if you want to use scripts.

7

So, my question is not about target. My question is about the Role itself not visible on UI.

8

Is not visible because you must use the provisioning plan to add, to be visible isn’t just about adding the role. You can use the silency mode by script and do not create a visible request.

9

Apologies for another question.
What do these do then? identity.add or identity.addAssignedRole or identity.addRoleAssignment

10

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.