SCIM Server CheckedPolicyViolations fails with no policies supplied

mcrooke · October 21, 2021, 2:06am

If you invoke the /identityiq/scim/v2/CheckedPolicyViolations SCIM API without a policies attribute then no policies are checked.

The API does not support checking all of the policies, if I supply the request with a policy then the check happens and I get a violation, removing the policies attribute to check all the policies, then none of the policies are checked.

For example this returns a policy violation on the Mainframe SOD policy:
{

"identity": "22699291",

"plan": {

    "value": {

        "accounts": [

            {

                "application": "AUR Active Directory",

                "attributes": [

                    {

                        "name": "memberOf",

                        "op": "Add",

                        "value": "CN=my....."

                    }

                ],

                "instance": "null",

                "op": "Modify"

            }

        ]

    },

    "type": "application/sailpoint.object.ProvisioningPlan+json"

},

"policies": [

    "Mainframe SOD Policy"

]

}

Where as this returns not policy violations:
{

"identity": "22699291",

"plan": {

    "value": {

        "accounts": [

            {

                "application": "AUR Active Directory",

                "attributes": [

                    {

                        "name": "memberOf",

                        "op": "Add",

                        "value": "CN=my....."

                    }

                ],

                "instance": "null",

                "op": "Modify"

            }

        ]

    },

    "type": "application/sailpoint.object.ProvisioningPlan+json"

}

}

There is no way to check all the policies, unless you list every single policy in the policies attribute, we have too many policies to do this and it makes the json requests huge.

patrickboston · October 21, 2021, 3:53am

That’s a bummer. A thought that comes to mind is maybe to launch a workflow with the /LaunchWorkflows SCIM endpoint. I believe there is a subprocess inside of LCM Provisioning that performs violation checks. Or make a custom workflow that makes the necessary calls and make sure to output any violations found.

mcrooke · October 25, 2021, 10:16pm

Thanks for the input Patrick.

/LaunchWorkflows works pretty nicely, and not that hard to setup a workflow do do the checks; however, I discovered if was my SOD policy that was causing the issue. The Policy was marked as inactive, so if you call /CheckedPolicyViolations with an inactive policy, and that policy is explicitly named in the policies attribute, then the API it will check it and give you the result. If you don’t name the policy explicitly then its not checked. So there is a search in there for active policies if you check everything.

So I guess I found a feature, you can check an inactive policy if its named explicitly, could be good for testing.

In my case the /LaunchWorkflows might be better as I’m not sure the application calling the service will be able to supply the identity name, maybe just an account and role name.

Topic		Replies	Views
Querying information from the policyViolation variable in workflows IIQ Discussion and Questions	3	1111	July 19, 2023
Advanced Policy rule not working IdentityIQ (IIQ)	6	2382	June 24, 2022
Advanced Policy not able to create PolicyViolation IIQ Discussion and Questions	22	3650	July 19, 2023
SCIM API Roles Endpoint Doesn't Return Profiles Information IIQ Discussion and Questions	3	1325	July 19, 2023
Policy not found for Request Violation IIQ Discussion and Questions workflows , identityiq , access-requests	3	38	February 28, 2025

SCIM Server CheckedPolicyViolations fails with no policies supplied

Related topics