Web Service SaaS connector - Add Entitlement Operation

Hi Everyone,

I have a requirement where I need to pass 3–4 entitlements across different attributes, and 2 entitlements of the same attribute.

Right now I am passing 3–4 entitlements across different attributes

I’m currently using the following request body in the Add Entitlement operation:

{
  "ID": "$getobject.nativeIdentity$",      
  "Role": "$plan.role$",
  "Treasurer": "$plan.treasurer$",
  "FullAdministrator": "$plan.fullAdministrator$"
}

While the Role attribute is being mapped successfully, both Treasurer and FullAdministrator are not mapping correctly. Interestingly, if I replace $plan.treasurer$ with a static value like 1, it works as expected — the value is passed successfully.

To troubleshoot, we have:

• Defined these attributes (Treasurer, FullAdministrator) as entitlements in the Account Schema
• Aggregated them
• Configured them in the Access Profile

Despite this, they are still not being passed. I also attempted using $getobject.treasurer$, but it didn’t resolve the issue.

Provisioning events are triggered for each attribute under Add Entitlement, but the attributes themselves are not appearing in the final payload. Please find the event logs screenshot below for reference.

{5986A9E9-6A81-4606-8C50-77960921BC16}1786×718 50 KB

and what should be the request body while passing 2 entitlements of the same attribute.

Looking forward to your guidance on this.

Are entitlements added as separate group objects in the Entitlement Schema?

If there are multiple group objects, each should be created individually within the Entitlement Schema. These group objects then should be marked as entitlements in the Account Schema. When different types of groups are assigned to a user, SailPoint looks for the following operations:

Add Entitlement Role
Add Entitlement FullAdministrator
Add Entitlement Treasurer

For each operation, try to structure the payload as below and see if it works:
Add Entitlement Role

{
  "ID": "$getobject.nativeIdentity$",      
  "Role": "$plan.role$",
  "Treasurer": "",
  "FullAdministrator": ""
}

Add Entitlement FullAdministrator

{
  "ID": "$getobject.nativeIdentity$",      
  "Role": "",
  "Treasurer": "",
  "FullAdministrator": "$plan.fullAdministrator$"
}

Add Entitlement Treasurer

{
  "ID": "$getobject.nativeIdentity$",      
  "Role": "",
  "Treasurer": "$plan.treasurer$",
  "FullAdministrator": ""
}

Documentation Reference: Multiple Group Objects

Hi @rpriya

I have created group object for Treasurer,

{
“nativeObjectType”: “Treasurer”,
“identityAttribute”: “Treasurer”,
“displayAttribute”: “Treasurer”,
“hierarchyAttribute”: null,
“includePermissions”: false,
“features”: ,
“configuration”: {},
“attributes”: [
{
“name”: “Treasurer”,
“type”: “INT”,
“schema”: null,
“description”: “Treasurer”,
“isMulti”: false,
“isEntitlement”: false,
“isGroup”: false
}
],
“id”: “e140ad6276dd4f90801e42141ba89e55”,
“name”: “Treasurer”
}

now source schema is

{
“name”: “treasurer”,
“type”: “STRING”,
“schema”: {
“type”: “CONNECTOR_SCHEMA”,
“id”: “e140ad6276dd4f90801e42141ba89e55”,
“name”: “Treasurer”
},
“description”: “Treasurer”,
“isMulti”: false,
“isEntitlement”: true,
“isGroup”: true
}

i have created Add Entitlement-Treasurer operation

{3F4AABDA-49C8-4164-8CDE-6AB69458D874}1303×710 20.2 KB

Body :

{
“ID”: “$getobject.nativeIdentity$”,

“Treasurer”: “$plan.treasurer$”,
“Role”: “”
}

for Role

{5534CA39-6BBE-400A-AF75-FAF00D288948}1293×741 19.5 KB

Body :

{
“ID”: “$getobject.nativeIdentity$”,
“Role”: “$plan.role$”,
“Treasurer”: “”
}

still only Role is getting passed, Treasurer is not getting passed.

could you please help to figure out.

After setting up the individual group objects, please ensure that you have aggregated them separately by selecting each entitlement type under the ‘Entitlement Aggregation’ section. This will also need separate operations of type Group Aggregation Treasurer etc.

Additionally, try re-adding those entitlements to the corresponding access profile

Hi @rpriya

I don’t have Endpoint URL for Treasurer and Role aggregation

Treasurer is attribute but i want to pass it as entitlement because its value is based on title of identity so that we have created access profile for each title and added this as entitlement.

Hi @rpriya

i am having one doubt id attribute type is integer and once entitlement will get create it will make it as string, so how we can convert our string value entitlement to integer.

Is the id attribute for entitlement or account? Please share some more details

I have created three Object to pass as Entitlement, but while provisioning via RBAC I am passing three entitlements at a time but only one entitlement is getting assigned once identity process done for the identity, again I process identity then next entitlement assigned , it means at a time only one is getting assigned , so i want to know which thing should i need to change in configuration to achieve the requirement (It should get assign at a single identity process)

Can you check using the search query @accountRequests(accountId:"xxxx") to see if there are separate AttributeRequest entries for each entitlement?
Probably, the multiple entitlements within a role are grouped together in a single AttributeRequest using a list structure, like

<AttributeRequest name=<ent attr name> op="Add">
      <Value>
        <List>
          <String>ent name1/String>
          <String>ent name2</String>
        </List>
      </Value>
    </AttributeRequest>

However, if each entitlement is added as a separate AttributeRequest , like,
<AttributeRequest name=<ent attr name> op="Add" value="ent name1"/> <AttributeRequest name=<ent attr name> op="Add" value="ent name2"/>
Then the “Add Entitlement” operation would be triggered multiple times—once for each entitlement—ensuring that all entitlements in the role are added individually within a single request

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.