Unable to complete certification

IdentityIQ (IIQ) IIQ Discussion and Questions
,
1

Which IIQ version are you inquiring about?

8.4

Please share any images or screenshots, if relevant.

image
image1874×808 32.8 KB

Result of the perform maintenance task

Please share any other relevant files that may be required (for example, logs).

SysLog registered in system :

<SyslogEvent classname="sailpoint.api.CertificationFinisher$CertificationFinisherWorker" created="1764769201649" eventLevel="ERROR" id="c0a866319ae214d8819ae470fdf10cdd" lineNumber="317" quickKey="0003796242" server="INUNWIDAM747" thread="pool-61-thread-1" username="Scheduler">
  <EventMessage>failed to lazily initialize a collection of role: sailpoint.object.Identity.links, could not initialize proxy - no Session</EventMessage>
  <Stacktrace>org.hibernate.LazyInitializationException: failed to lazily initialize a collection of role: sailpoint.object.Identity.links, could not initialize proxy - no Session
	at org.hibernate.collection.internal.AbstractPersistentCollection.throwLazyInitializationException(AbstractPersistentCollection.java:606)
	at org.hibernate.collection.internal.AbstractPersistentCollection.withTemporarySessionIfNeeded(AbstractPersistentCollection.java:218)
	at org.hibernate.collection.internal.AbstractPersistentCollection.initialize(AbstractPersistentCollection.java:585)
	at org.hibernate.collection.internal.AbstractPersistentCollection.read(AbstractPersistentCollection.java:149)
	at org.hibernate.collection.internal.PersistentBag.iterator(PersistentBag.java:387)
	at sailpoint.provisioning.IIQEvaluator.provision(IIQEvaluator.java:297)
	at sailpoint.provisioning.PlanEvaluator.execute(PlanEvaluator.java:871)
	at sailpoint.provisioning.PlanEvaluator.execute(PlanEvaluator.java:739)
	at sailpoint.api.Provisioner.execute(Provisioner.java:1652)
	at sailpoint.api.certification.RemediationManager.executeUsingProvisioner(RemediationManager.java:929)
	at sailpoint.api.certification.RemediationManager.performRemediation(RemediationManager.java:733)
	at sailpoint.api.certification.RemediationManager.flush(RemediationManager.java:511)
	at sailpoint.api.Certificationer.postRemediate(Certificationer.java:2997)
	at sailpoint.api.Certificationer.finish(Certificationer.java:4430)
	at sailpoint.api.CertificationFinisher$CertificationFinisherWorker.call(CertificationFinisher.java:290)
	at sailpoint.api.CertificationFinisher$CertificationFinisherWorker.call(CertificationFinisher.java:193)
	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
	at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
	at java.base/java.lang.Thread.run(Thread.java:834)
</Stacktrace>
</SyslogEvent>

Share all details about your problem, including any error messages you may have received.

I have been trying to achieve a use case related to manager certification, which requires me to generate a manager certification on accounts, were if the certifier revoke the access review, instead of deleting the account we have to disable the account. So in order to achieve this use case, I have configured a Before provisioning rule in the application as give below :


import sailpoint.object.ProvisioningPlan.AccountRequest;
import sailpoint.object.ProvisioningPlan.ObjectOperation;
import sailpoint.object.*;
import org.apache.log4j.Logger;
import java.util.Iterator;import java.util.List;

log.debug(“In the before provisioning rule of the application”);
if(plan!=null){
String source=plan.getSource();
if(source!=null && “Certification”.equals(source)){
List accountRequestList=plan.getAccountRequests();
Iterator it=accountRequestList.iterator();
while(it.hasNext()){
AccountRequest accReq=(AccountRequest)it.next();
if(accReq.getOp().toString().equalsIgnoreCase(“Delete”)){
accReq.setOp(ProvisioningPlan.ObjectOperation.Disable);
log.debug(“+++Operation has been changed to Disabled+++”);
}
}
}
}

Now, this rule works fine and disables the account on revoking decision of the access review, i have checked in the provisioning transaction which shows that i have successfully disabled the account, but when the perform maintenance task runs, it gives me the error as shown above in the image, basically the perform maintenance task fails, and certification remains active, on the second run of the perform maintenance, it again performs provisioning of disabling the account and this goes on. Could you guys please help me resolving this issue. I just want to understand the reason why i am facing this issue and how could i resolve it.

Thank you!

3

Hi @Chathuryas ,

Understood, thanks for the explaination. Do you know if there’s any solution or workaround for this issue?

4

Hi @Prash373 ,
We are also facing the exact same issue on the Perform Maintenance task. Were you able to find any fix or work around for this issue?

Thanks in Advance.

5

Hi @TKiran ,

Yes, i don’t know whether it’s an efficient way or not, what i did was i initialized the links in the before provisioning rule. By doing so this issue was resolved for me.

Added the following lines in code after the while condition:

Identity identity=plan.getIdentity();

if(identity!=null){

List initializingLinks=identity.getLinks();

}

by adding the above code, problem got resolved, but i wouldn’t say it’s an efficient solution. But you can try. And if you find any proper solution, ping here.

6

Thank you for the quick response Prashant.

We dont have a Before Provisioning Rule but having an integration config object which has some logic to invoke a workflow to generate a manual work item.

From the loggers, I could see that the error is exactly occurring once the workflow has been launched. And its very inconsistent to reproduce in our lower environment. Do you have any idea/can you give us some direction to resolve this issue ?

Really appreciate your help on this.

7

can you try to set deleteToDisable to true in the application definition?

This should convert delete to disable request , irrespective of where its is generated without any customization.

8

Thanks for the suggestion Sanjay.

But for our case, the account should be deleted. The same issue here I meant was related to the error not to the scenario.

9

Hi @TKiran ,

In any of the codes in the workflow were you are getting above error, are you using “context.decache()“. If yes, try commenting context.decache(), may be this could solve your issue

10

Hi Prashant,

Checked for this line but it doesn’t exist in the current code.

Could there be any chance for the commitTransaction() code from the Time period rules or sign off approver rule causing this issue ?

11

Hi @TKiran ,

I don’t think commitTransaction() is causing this error, and at the moment I can’t think of any other possible reasons. My suggestion would be to identify the rule or script that is causing the error and, once identified, try initializing the object manually that is leading to this issue. If I find anything specific, I will keep you posted here.