Web Service Connector Understand Add Entitlement Operation Flow

sbhagat · July 4, 2025, 12:33pm

Hello,

I’m using Web Service Connector where I have configured Add Operations.
My Client API to Add Entitlement are little weird .
If I add the Entitlement and then on the same day if I remove then it won’t allow me to add same Entitlement on the same day.I need to wait for another day.
So I’m using PUT Method to add Entitlement or remove Entitlement .
Now when I’m requesting single Entitlement then Entitlement is successfully provisioned.
But when I’m requesting more than 1 Entitlement let’s say 2 , 1st is getting successfully Provisioned but 2nd won’t . For the 2nd I’m getting error that this entitlement was added and then removed , Hence we can’t add back.
It means it was added initially but in the 2nd time it was not there in the Pay load , Hence it got removed and then it again tried to add back and then I’m seeing the error.
Ex of API Pay Load

1st Entitlement
“roles”: [
{
“value”: “READ”,
“type”: “WI:ROLE_TYP”
}
]
2nd Entitlement
“roles”: [
{
“value”: “READ”,
“type”: “WI:ROLE_TYP”
},
{
“value”: “WRITE”,
“type”: “WI:ROLE_TYP”
}

]

I feel in the 2nd time that READ one is not coming in the Payload . In the Before Rule only I have added http request to get the current roles but I feel it’s not get updated and hence when the second Add Entitlement Operation triggers it goes with the current payload and Eventually “READ” Entitlement is getting deleted.

Anybody understand my usecase please help me to understand the flow and how can we resolve this issue.

sauvee · July 4, 2025, 12:43pm

So essentially the API endpoint on this application (which app btw?) for setting entitlements cannot support a ‘PATCH’ where you only add / remove what you want, but it will replace entirely the entitlement(s) that were there. This causes the 1st entitlement that was added to be removed on the operation for the 2nd entitlement.

I would indeed use a before operation rule that gets ALL current entitlements and then ‘rebuilds’ the body for the new operation, including the newly added entitlement.

Your operations will look like this:

Operation 1: Add entitlement. This should call the API to GET the current entitlements
a) ensure you have mapped the result properly, otherwise you cannot use it in the next operation
Operation 2: Get Object, with operation 1 as the parent operation. This operation should have the below rule as the beforeOperation rule

Please see an example rule below, where I do the same:

import java.util.ArrayList;
import java.util.HashMap;
import java.util.Map;
import connector.common.JsonUtil;
import connector.common.Util;
import sailpoint.object.ProvisioningPlan;
import sailpoint.object.ProvisioningPlan.AccountRequest;

log.debug(application.getName() + " Combine Capabilities: oldResponseMap: "+oldResponseMap);

Map body = requestEndPoint.getBody();
log.debug(application.getName() + " Combine Capabilities: body: "+body);
String jsonBody = (String) body.get("jsonBody");
log.debug(application.getName() + " Combine Capabilities: jsonBody: "+jsonBody);

List capabilities = new ArrayList();
List currentCapabilities = oldResponseMap.get("capabilities");
log.debug(application.getName() + " Combine Capabilities: currentCapabilities: "+currentCapabilities);
if (jsonBody != null){
    log.debug(application.getName() + " Combine Capabilities: jsonBody: "+jsonBody);
    
    if (jsonBody.toString().startsWith("[")) {
        List jsonBodyList = JsonUtil.toList(jsonBody);
        log.debug(application.getName() + " Combine Capabilities: jsonBody2: "+jsonBodyList);
        for(String jsonBodyStr: jsonBodyList) {
            capabilities.add(jsonBodyStr);
        }
    } else {
        capabilities.add(jsonBody);
    }
}

log.debug(application.getName() + " Combine Capabilities: capabilities: "+capabilities);
if (currentCapabilities != null) {
    for (i = 0; i<currentCapabilities.size();i++) {
            capabilities.add(currentCapabilities.get(i));
    }
}
log.debug(application.getName() + " Combine Capabilities: capabilities after: "+capabilities);

Map authUserMap = new HashMap();
authUserMap.put("op", "replace");
authUserMap.put("path","/capabilities");
authUserMap.put("value",capabilities);

List authUserList = new ArrayList();
authUserList.add(authUserMap);

String finalBody = JsonUtil.render(authUserList);
body.put("jsonBody", finalBody);
requestEndPoint.setBody(body);

Map body = requestEndPoint.getBody();
log.debug(application.getName() + " Combine Capabilities: new body: "+body);

sbhagat · July 4, 2025, 1:23pm

Thank You Edwin for your reply.
But I’m little confused , Please bare with me.
Questions -

You mentioned Before Provisioning Rule , is this a different approach to rebuild the body? If yes then how can we rebuild the body as it doesn’t have any acccess to your payload or Operations.?
You mentioned about two operations - 1 and 2
a) Is the a totally different approach than before Provisioning Rule?
b) If I’m not wrong you are first trying to get all the entitlements from Child API and then Pass the information into the Parent EndPoint? So can you confirm whether all the access requests are running parallely or serially , if it is serially working then thats fine but what if it is paralley working then we can’t see updated data in the next operations.

We don’t have PATCH API.

sauvee · July 4, 2025, 1:26pm

My bad, I meant before operation rule not before provisioning rule (edited my original reply as such).

The operations are indeed parent (operation 1) and child (operation 2), where the parent retrieves the current entitlements and operation 2 sets the entitlements (current + new).

I hope this makes it more clear.

sauvee · July 5, 2025, 6:27am

You can set up the source to either process 1 entitlement per operation or combine them together. On your source I guess you can combine them together?

sbhagat · July 9, 2025, 11:20am

I’m not sure whether we can combine them together or not.
If you request multiple entitlements at once then it goes one by one .
I’m not sure whether we can combine them together.
Only way I know to combine them is create Role or Access Profile and then request it .

sauvee · July 10, 2025, 11:34am

When I say ‘combine’ I mean, does the endpoint support you putting several entitlements / groups in one API call. I presume it does, since your example body shows that it is an array of values.

You can use this attribute to set this on or off:

"addRemoveEntInSingleReq": true

This attribute needs to be under your connectorAttributes on the source.

system · September 8, 2025, 11:34am

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Web service connector Add Entitelement operation ISC Discussion and Questions	4	2081	July 19, 2023
Web Services connector : Add entitlement with PATCH ISC Discussion and Questions webservice-connector , identity-security-cloud	4	42	September 16, 2025
Webservice UpdateAccount operation overriding existing entitlements ISC Discussion and Questions webservice-connector , identity-security-cloud , provisioning	7	558	June 2, 2024
Webservice connector Add Entitlement issue IIQ Discussion and Questions webservice-connector , identityiq	7	211	November 29, 2024
Webservice Application IIQ Discussion and Questions	2	2128	July 19, 2023

Web Service Connector Understand Add Entitlement Operation Flow

Related topics