Retrieve Role and Entitlement in LCM Provisioning Workflow

Which IIQ version are you inquiring about?

8.4

Please share any images or screenshots, if relevant.

image1324×669 87 KB

Please share any other relevant files that may be required (for example, logs).

import sailpoint.object.Bundle;
import sailpoint.object.ManagedAttribute;
import sailpoint.object.Identity;
import sailpoint.object.Profile;
import sailpoint.api.SailPointContext;
import sailpoint.object.Filter;
import sailpoint.tools.Util;
import org.apache.log4j.Logger;

SailPointContext context = sailpoint.api.SailPointFactory.getCurrentContext();

String errorMessage = null;
String validationStatus = "Valid";

Identity identity = context.getObject(Identity.class, identityName);
System.out.println("Identity Badge Type = "+identity.getAttribute("workderbadgetype"));   

Bundle role = context.getObjectByName(Bundle.class, roleName); 	
ManagedAttribute entitlement = context.getObjectByName(ManagedAttribute.class, entitlementName); 

// Log the validation status before returning
log.error("Returning validationStatus: " + validationStatus);
System.out.println("Returning validationStatus: " + validationStatus);

return validationStatus;  

Share all details about your problem, including any error messages you may have received.

Hi Experts,

I would like to know if it is possible to retrieve role and entitlement attributes in the LCM Provisioning workflow. I added a validation step before the “Create Ticket” step to validate the role and entitlement. To do so, I need the role and entitlement objects. Therefore, I used the getObject() method, but after some testing, I found that it always returns null. I’m not sure what I missed and would like to seek your advice.

Hi @Bernardc

The problem with your code is indeed in how you’re trying to get the roleName and entitlementName

it’s missing the context of the AccessRequestItem objects that are part of an LCM request..

You need to integrate your validation logic within the context of the IdentityRequest and its AccessRequestItem

import sailpoint.object.IdentityRequest; // <-- IMPORTANT: Import IdentityRequest
import sailpoint.object.AccessRequestItem; // <-- IMPORTANT: Import AccessRequestItem

Hi @pattabhi ,

Much appreciated for the info. Do you have any sample I can refer to?

In the LCM Provisioning Workflow, both the identityRequestId and plan variables are accessible. These can be used to identify the specific role or entitlement for which the request was initiated and the workflow triggered.

To retrieve request details, you can:

• Use the identityRequestId along with the context object to obtain the identityRequest, which contains the request items and their associated details.
• Alternatively, directly use the plan object to access the requested role or entitlement.

Hi @rpriya ,

I was able to obtain the identityRequest along with context object. However, I found out it only happen if it is normal access request. While using batch request ui, it will not return the identityRequest object. Do you have any idea on this?

Hi All,

In my case, I am adding validation for batch requests. Therefore, I added a validation step before the “Create Ticket” step. To perform validation based on role or entitlement attributes, we must retrieve the corresponding role or entitlement object.

Since this is for a batch request, we need to retrieve the information using the batchRequestId instead of the identityRequestId. The identityRequestId can be used to retrieve role or entitlement objects, but it is only applicable to normal access requests not from the batch request UI.

Here is the core code to retrieve object by batchRequestId:

BatchRequestItem item = context.getObjectById(BatchRequestItem.class, batchRequestItemId);

Big shout-out to @pattabhi and @rpriya for sharing ideas that pointed me in the right direction!