Which IIQ version are you inquiring about?
8.3P1
Please share any images or screenshots, if relevant.
[Please insert images here, otherwise delete this section]
Please share any other relevant files that may be required (for example, logs).
code for enable operation along with roles.
if( null != op && op.equals(AccountRequest.Operation.Enable)){
log.error(“into enable operabit deafult”);
List defaultRoles = getDefaultRoleForApp(application.getName());
if( null != defaultRoles && defaultRoles.size()>0){
for(String defaultRole: defaultRoles){
if(null != defaultRole){
log.error(“into enable operabit deafult inside deafult if”);
if(!isCreated){
log.error(“into enable operabit deafult inside created”);
AttributeRequest attributeRequest = new AttributeRequest(“Roles”,ProvisioningPlan.Operation.Add,“”+defaultRole);
attributeRequest.setComments("Assigning Birth right role: “+defaultRole+” for Application: "+application.getName());
accountRequest.add(attributeRequest);
//accountRequest.setNativeIdentity(nativeId);
}
}
}
}
}
Provisioning plan
Share all details about your problem, including any error messages you may have received.
At the time of rehiring an user in IIQ we are just enabling SAP account with setting “user valid to” to new date and adding some default roles to the account.
In this case where user valid to date is setting properly in application account but roles are not getting added where as in access request we can see roles has been added and provisioning is shows as committed. but in user application accounts there is no roles please find below screenshots for same. we have confirmed in SAP system that roles are not getting provisioned in their system
<ProvisioningPlan nativeIdentity="SPE20023859" targetIntegration="PH SAP PI/PO" trackingId="6f345d1cb5f5462ea0c4a685aad5dbb1">
<AccountRequest application="PH SAP PI/PO" nativeIdentity="SPE20023859" op="Enable">
<AttributeRequest name="User Valid To" op="Set" value="9999-12-31"/>
<AttributeRequest name="Roles" op="Add" value="ZSTANDARD">
<Attributes>
<Map>
<entry key="comments" value="Assigning Birth right role: ZSTANDARD for Application: PH SAP PI/PO"/>
</Map>
</Attributes>
</AttributeRequest>
</AccountRequest>
<Attributes>
<Map>
<entry key="identityRequestId" value="0000141874"/>
<entry key="requester" value="Scheduler"/>
<entry key="source" value="LCM"/>
</Map>
</Attributes>
</ProvisioningPlan>
Code seems fine. Just to be clear, did you add this code to the Before Provisioning rule, is that right?
I did observe in of my previous implementations that when the account is inactive, role assignments are failed. This is something to do with configuration at SAP side, they can block role assignments for an inactive user.
As per the plan, both the actions are tried to perform at the same time. I would suggest to utilize a business role to grant the defaultRoles based on the SAP account status. This will ensure the roles are granted only after the account is activated.
OOTB, there isn’t a status attribute, but you can add IIQDisabled attribute to the schema and populate IIQSchema in customization rule based on the valid enddate.
Are you trying to provision role where attribute is roles and starts with “ZC” something. Double check on it, may be you are not actually provisioning roles, may be assigning other attribute type.
Hi Uday,
yes the code is added in before provisioning role, we are facing this error in our QA environment same piece of code same implementation working fine in Prod environment we are not sure why it is environment specific issue.
Yes business role we are using with other attributes, but the ask is whenever a new user is raising access request to SAP application along with requested role this default role will be added. below is code for create request which working fine in this environment.
if( null != op && op.equals(AccountRequest.Operation.Create)){
List defaultRoles = getDefaultRoleForApp(application.getName());
if( null != defaultRoles && defaultRoles.size()>0){
for(String defaultRole: defaultRoles){
if(null != defaultRole){
if(!isCreated){
AttributeRequest attributeRequest = new AttributeRequest(attributeName,ProvisioningPlan.Operation.Add,“”+defaultRole);
attributeRequest.setComments("Assigning Birth right role: “+defaultRole+” for Application: "+application.getName());
accountRequest.add(attributeRequest);
//accountRequest.setNativeIdentity``(nativeId);
}
}
}
}
}
ZSTANDARD is the role which we are trying add in provisioning plan to get it provision along with enable method. where user vaiid to date is properly setting
can you show me the entitlement catalogue screenshot of the roles you are trying to provision. If i Understand correct, the issue is user, sailpoint shows provisioning completed for new account creation, but in sap side , they don’t see anything correct??
Please find below screenshot. For new account request it is added in provisioning plan and provisioned in SAP System, but for at the enable for rehire event it is not getting provisioning.
ohk, understood, when you try to enable the account?? what is happening?? what is the requirement. can you please explain me one more time.
when we try to enable account along with it we are adding default role in provisioning plan. please find below code. one attribute is Vaild to we are handling in provisioning policy other is role which we are adding in before provisioning rule.
if( null != op && op.equals(AccountRequest.Operation.Enable)){ log.error("into enable operabit deafult"); List defaultRoles = getDefaultRoleForApp(application.getName()); if( null != defaultRoles && defaultRoles.size()>0){ for(String defaultRole: defaultRoles){ if(null != defaultRole){ log.error("into enable operabit deafult inside deafult if"); if(!isCreated){ log.error("into enable operabit deafult inside created"); AttributeRequest attributeRequest = new AttributeRequest("Roles",ProvisioningPlan.Operation.Add,""+defaultRole); attributeRequest.setComments("Assigning Birth right role: "+defaultRole+" for Application: "+application.getName()); accountRequest.add(attributeRequest); ``//accountRequest.setNativeIdentity``(nativeId); } } } } }
