Unable to set attribute value in Before Provisioning rule

sahoos9 · June 12, 2023, 8:45am

Hello, I am having issue in my application’ s before provisioning rule. I want to set the Attribute “Active” which is a boolean ptoperty to be set as False, when a user account have a particular entitlement. The issue here is the provisioning plan is not able to set attribute Active as False

I am getting error 'openconnector.ConnectorException: Can not prepare SCIM Resource, inputStream is null.’

In the rule I am checking if an account is requesting a particular entitlement, then I am setting the Account Active status as False. Below is how my code looks like

*if(plan!=null)*

*List accReqList = plan.getAccountRequests(application.getName());*
*if(accReqList != null && !accReqList.isEmpty()){*
*for(AccountRequest accReq : accReqList){*

*if( null != accReq.getOp() && ProvisioningPlan.AccountRequest.Operation.Create == accReq.getOperation())*
*{*
*AttributeRequests=accReq.getAttributeRequests();*
*if(Util.size(AttributeRequests) > 0 ){*
*for(AttributeRequest attrReq: AttributeRequests){*
*attrName=attrReq.getName();*
*if("groups".equalsIgnoreCase(attrName) && "Add".equalsIgnoreCase(attrReq.getOp().toString())){*

*groupName = attrReq.getValue();*
*if(groupName != null){*
*if(groupName instanceof List){*
*newGroups = (List) groupName;*
*}*
*if(groupName instanceof String){*
*newGroups.add((String)groupName);*
*}*
*}*

*isDisableGroup=checkIfDisableGroup(newGroups);*

*if(isDisableGroup){*

*newAttList.add(attrReq);*
*newAttList.add(new AttributeRequest("active", ProvisioningPlan.Operation.Set, inactive));*
*}}*
*else if(!("active".equalsIgnoreCase(attrName))){*
*newAttList.add(attrReq);*
*}*
*accReq.setAttributeRequests(newAttList);*
*}*

*}*
*}*

*}*

*plan.setAccountRequests(accReqList);*

*}*

While trying to debug , i am getting After provisiong plan as below.


<ProvisioningPlan nativeIdentity="00410231" targetIntegration="XXXApp" trackingId="xxxxxxxxxxx"><AccountRequest application="XXXApp" assignmentIds="TEMP:e60bc931e966452da21bf94f484fd3b4" op="Create">*
*<AttributeRequest name="groups" op="Add" value="181"/>*
*<AttributeRequest name="active" op="Set">*
*<Value>*
*<Boolean></Boolean>*
*</Value>*
*</AttributeRequest>*
*<AttributeRequest name="userName" op="Set" value="[email protected]"/>*
*<AttributeRequest name="emails.work.primary.value" op="Set" value="[email protected]"/>*
*<AttributeRequest name="name.givenName" op="Set" value="Ziser"/>*
*<AttributeRequest name="name.familyName" op="Set" value="Zetybu"/>*
*<AttributeRequest name="locale" op="Set" value="en-AU"/>*
*<AttributeRequest name="timeZone" op="Set" value="AUS Eastern Standard Time"/>*
*<AttributeRequest name="addresses.work.country" op="Set" value="GBR"/>*
*<AttributeRequest name="externalId" op="Set" value="04545664"/>*
*</AccountRequest>*
*<Attributes>*
*<Map>*
*<entry key="identityRequestId" value="0000352897"/>*
*<entry key="requester" value="spadmin"/>*
*<entry key="source" value="Batch"/>*
*</Map>*
*</Attributes>*
*<Requesters>*
*<Reference class="sailpoint.object.Identity" id="xxxxxxxxxxxxxx" name="spadmin"/>*
*</Requesters>*
*</ProvisioningPlan>*

But if I try to print the attribute name, attribute value and operation, I can see the active attribute is set as False.

QuartzScheduler_Worker-1 sailpoint.server.InternalContext:166 - Attr Name: active
QuartzScheduler_Worker-1 sailpoint.server.InternalContext:166 - Operation: Set
QuartzScheduler_Worker-1 sailpoint.server.InternalContext:166 - Attr Value: false

Please help me how to update the attribute as False

brian_weigel · June 12, 2023, 4:11pm

A couple things to try:

Instead of setting your boolean attribute request as a true boolean, try setting to a string instead
Make sure your account schema has the active attribute type specified correctly
I’m not sure if this will actually capture the raw HTTP requests/responses for that connector, but it’s worth a shot:

logger.orgapachehttp.name=org.apache.http
logger.orgapachehttp.level=trace

logger.httpwire.name=org.apache.http.wire
logger.httpwire.level=trace

logger.httpclientwire.name=httpclient.wire
logger.httpclientwire.level=trace

Jarin_James · June 29, 2023, 7:09pm

Hi @sahoos9
As Brian mentioned make sure to verify the account schema has the attribute ‘Active’ specified correctly. If this attribute account status attribute, instead of changing the attribute to false change the account operation to Disable. This will make sure account is disabled and active value is false. If you are using SCIM2 connector enable the following logger to see the json body.

logger.SCIM2Connector.name=openconnector.connector.scim2.SCIM2Connector
logger.SCIM2Connector.level=debug

system · August 28, 2023, 7:10pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Multi-Valued attribute in provisioning plan - not working ISC Discussion and Questions webservice-connector , rules , identity-security-cloud , provisioning	13	368	March 17, 2024
Passing provisioning plan into web services beforeOperationRule ISC Discussion and Questions webservice-connector , identity-security-cloud , provisioning	2	340	October 30, 2023
Pass Non-Provisioned Attributes from Before Provision rule to Connector Rules Community Blog webservice-connector , rules , identity-security-cloud , identityiq , provisioning	2	939	November 14, 2023
How to clear boolean attribute during provisioning for Active Directory ISC Discussion and Questions identity-security-cloud , provisioning	10	255	March 24, 2024
Blank Attribute in Provisioning Policy ISC Discussion and Questions identity-security-cloud , provisioning	3	226	December 31, 2023

Unable to set attribute value in Before Provisioning rule

Related Topics