roleImporter V11 assignUserstoRole for complex criteria upload is not working

Hi,
I am trying to test the assignUserstoRole command from roleImporter.rb version 11, downloaded here: https://community.sailpoint.com/t5/Professional-Services/IdentityNow-Bulk-Access-Profile-and-Role-Importer/ta-p/77382

I keep getting the following error.

image942×179 7.79 KB

My csv looks like this:

image977×224 8.31 KB

I am trying to set a criteria on the Client Group - Birthright Access role. I pulled the criteria from my Prod tenant and I am trying to apply it to the role in Stage, as a test.

Desired end result is to be able to pull the complex criteria we have in our tenant via the list-roles | SailPoint Developer Community API (this is working, I have this in a csv), to then in the event of erroneous deletion of the role or its criteria, use this file to reupload the criteria in bulk using roleImporter.

Therefore I need help understand the differences between the format this API returns the criteria in, vs the format roleImporter’s assignUserstoRole accepts.

I have tried many different tweaks of what I’m getting from this API and none have worked, roleImporter keeps giving me the error above.

Is anyone familiar with these formats / can anyone see what is wrong with my csv?

Hi Lea,

It is a bit difficult to find the error with your complex criteria from just the image. Could you post the text version of your criteria here so we can take a look at it.

Thanks,

Liam

Here is all the text in my csv:

assignUsersToRole,Role Name,assignedType,assignedValue
assignUsersToRole,Client Group - Birthright Access,COMPLEX_CRITERIA,“{”“operation”“:”“AND”“,”“key”“:null,”“stringValue”“:null,”“children”“:[{”“operation”“:”“EQUALS”“,”“key”“:{”“type”“:”“IDENTITY”“,”“property”“:”“attribute.division”“,”“sourceId”“:null},”“stringValue”“:”“Client Group”“,”“children”“:null},{”“operation”“:”“EQUALS”“,”“key”“:{”“type”“:”“IDENTITY”“,”“property”“:”“attribute.employeeType”“,”“sourceId”“:null},”“stringValue”“:”“E”“,”“children”“:null},{”“operation”“:”“OR”“,”“key”“:null,”“stringValue”“:null,”“children”“:[{”“operation”“:”“EQUALS”“,”“key”“:”“@{type=IDENTITY;property=attribute.cloudLifecycleState;sourceId=}”“,”“stringValue”“:”“prehire”“,”“children”“:null},{”“operation”“:”“EQUALS”“,”“key”“:”“@{type=IDENTITY;property=attribute.cloudLifecycleState;sourceId=}”“,”“stringValue”“:”“active”“,”“children”“:null},{”“operation”“:”“EQUALS”“,”“key”“:”“@{type=IDENTITY;property=attribute.cloudLifecycleState;sourceId=}”“,”“stringValue”“:”“preLeaver”“,”“children”“:null},{”“operation”“:”“EQUALS”“,”“key”“:”“@{type=IDENTITY;property=attribute.cloudLifecycleState;sourceId=}”“,”“stringValue”“:”“legalhold”“,”“children”“:null}]},{”“operation”“:”“CONTAINS”“,”“key”“:{”“type”“:”“ACCOUNT”“,”“property”“:”“attribute.distinguishedName”“,”“sourceId”“:”“0d28e85c5fe34f8b86a14c1074d40d97"”},““stringValue””:““com””,““children””:null}]}"

And this is what the criteria looks like when I pull it from the beta/roles API. It has indentation which isn’t showing when pasting it here so I’ve added a screenshot.

“{
““operation””: ““AND””,
““key””: null,
““stringValue””: null,
““children””: [
{
““operation””: ““EQUALS””,
““key””: {
““type””: ““IDENTITY””,
““property””: ““attribute.division””,
““sourceId””: null
},
““stringValue””: ““Client Group””,
““children””: null
},
{
““operation””: ““EQUALS””,
““key””: {
““type””: ““IDENTITY””,
““property””: ““attribute.employeeType””,
““sourceId””: null
},
““stringValue””: ““E””,
““children””: null
},
{
““operation””: ““OR””,
““key””: null,
““stringValue””: null,
““children””: [
{
““operation””: ““EQUALS””,
““key””: “”@{type=IDENTITY; property=attribute.cloudLifecycleState; sourceId=}”“,
““stringValue””: ““prehire””,
““children””: null
},
{
““operation””: ““EQUALS””,
““key””: “”@{type=IDENTITY; property=attribute.cloudLifecycleState; sourceId=}”“,
““stringValue””: ““active””,
““children””: null
},
{
““operation””: ““EQUALS””,
““key””: “”@{type=IDENTITY; property=attribute.cloudLifecycleState; sourceId=}”“,
““stringValue””: ““preLeaver””,
““children””: null
},
{
““operation””: ““EQUALS””,
““key””: “”@{type=IDENTITY; property=attribute.cloudLifecycleState; sourceId=}”",
““stringValue””: ““legalhold””,
““children””: null
}
]
},
{
““operation””: ““CONTAINS””,
““key””: {
““type””: ““ACCOUNT””,
““property””: ““attribute.distinguishedName””,
““sourceId””: ““0d28e85c5fe34f8b86a14c1074d40d97"”
},
““stringValue””: ““com””,
““children””: null
}
]
}”

image1024×947 42.8 KB

Hi Lea,

I believe you have an incorrect format of double quotes in your csv file that is causing the issue. I replaced all of your quotes with the ” character (U+0022 QUOTATION MARK). See below:

"{""operation"":""AND"",""key"":null,""stringValue"":null,""children"":[{""operation"":""EQUALS"",""key"":{""type"":""IDENTITY"",""property"":""attribute.division"",""sourceId"":null},""stringValue"":""Client Group"",""children"":null},{""operation"":""EQUALS"",""key"":{""type"":""IDENTITY"",""property"":""attribute.employeeType"",""sourceId"":null},""stringValue"":""E"",""children"":null},{""operation"":""OR"",""key"":null,""stringValue"":null,""children"":[{""operation"":""EQUALS"",""key"":""@{type=IDENTITY;property=attribute.cloudLifecycleState;sourceId=}"",""stringValue"":""prehire"",""children"":null},{""operation"":""EQUALS"",""key"":""@{type=IDENTITY;property=attribute.cloudLifecycleState;sourceId=}"",""stringValue"":""active"",""children"":null},{""operation"":""EQUALS"",""key"":""@{type=IDENTITY;property=attribute.cloudLifecycleState;sourceId=}"",""stringValue"":""preLeaver"",""children"":null},{""operation"":""EQUALS"",""key"":""@{type=IDENTITY;property=attribute.cloudLifecycleState;sourceId=}"",""stringValue"":""legalhold"",""children"":null}]},{""operation"":""CONTAINS"",""key"":{""type"":""ACCOUNT"",""property"":""attribute.distinguishedName"",""sourceId"":""0d28e85c5fe34f8b86a14c1074d40d97""},""stringValue"":""com"",""children"":null}]}"

Let me know if that works!

Thanks,

Liam

Hello Lea,

I’ve had this issue before. What I found is the structure of the membership criteria as seen in the API is slightly different then what the role importer tool requires.

If you build your criteria off of one of the examples in the documentation for the Role Importer tool instead of building it in the format of what you see in the API, that should get it to work.

Hope this helps!

Thanks everyone.

The quotes in my CSV are U+0022, they got changed to U+201C when copy pasting the code into here.

I had another look at the roleImporter documentation and found two key differences-

• children of children (members of a criteria group, where they are several) are formatted differently in the API response vs roleImporter format (lines 100 to 123)
• roleImporter takes sourceId instead of sourceName (line 131)

image984×918 26.1 KB

I edited my csv manually to align with what’s in the roleImporter documentation. This worked.

But what are meant to do if we have 100+ criteria to upload? Manually reformatting every single one of them is obviously not feasible… Nor is writing them from scratch if you’re not restoring using the API response but instead uploading them for the first time.
Does anyone know of a way to convert API response format to roleImporter format?
How is everyone prepping their roleImporter input file when using assignUserstoRole?

Corrected csv:

image797×648 17.1 KB

@lead1 , One thing I’ve learnt over time after using the role importer tool is that always edit your CSV files using a notepad application and never copy paste the JSON structures from the excel UI. Excel tends to output undesired formats which might look the same on the UI but underlying formatting would get messed up.

I’ve seen this as well.
If anyone could let me know how they are going about writing all of their role criteria to feed to roleImporter however that would be greatly appreciated. Are you writing one then copy pasting it and modifying it for the subsequent ones?

Hello Lea,

What we did is essentially used a bunch of concat functions in the excel file to build the criteria. Including the overall structure that the role importer tool requires.