Hi @PValarezo ,
Thank you for your reply. Indeed, using $plan.group$ made the group value showing up now, but there’s still an issue, it’s adding special encoded characters, as follows:
Seems to me like the issue is now with the body of the request. Are you passing the native identity in the body and i think the key for the native identity is memberKey as shown in the error message which is coming as blank.
It could be because you are using $plan.nativeIdentity in the body during the create account operation but the native identity will not be available yet. Or I have also seen the account id attribute here as in your case is primaryEmail so if you use $plan.PrimaryEmail in create account then also it will not be populated, So i suggest you can add one more attribute in the create provisioning policy which should contain the same value like primaryEmail attribute and then use that variable.
If that also does not help then try perhaps sharing the body here so we can assist you further.
Also how is the setup for you, do you need to pass the entitlements during create account operation ?
If it is not mandatory to pass the entitlements during the create operation then you should remove the check box “Create Account with Ent Request” and configure another operation for add entitlements. There you can use the $plan.nativeIdentity keyword as the account is available for ISC now.
The encoded values are the brackets and quotes that ISC is wrapping around your variable. It automatically assumes that since your “group” attribute is multivalued, that it needs to be in an array. Since you want to only add a single entitlement at a time, edit your source in VSCode - in the “connectorAttributes” section - add the flag:
“addRemoveEntInSingleReq”: false
To give you a bit of contexte, we’re trying to add a user from Google Workspace “Domain A” to a Google Workspace group in “Domain B”. The destination group is configured to accept external users membership. We don’t want users to be created on the “Domain B” google workspace tenant, that’s why I’m sending a group membership request on the Account Creation operation
The error message says that you are missing field “memberKey” in the request body. Can you please try to run this API locally from postman and see if that works ?
Can you please try to name attribute “primaryEmail” with some other value in create account policy something like “userEmail” and then try to update the body like
{
"email":"$plan.userEmail$",
"role":"MEMBER"
}
Please give this a try. Also you may want to enable the ccg logs for web service connector if this still does not work and then you can see the complete payload being passed by ISC.
Plus small note, since after creating the identity you are able to id generate id in the response of the create API, i would suggest not to use the primayEmail as accountID attribute but once the user is created then read the id generated in the response mapping and use that as account id attribute.
Btw are there any additional headers you are adding in the postman which are missing ?
Please try the above suggestion and let me know if that helps. If any questions, please let me know.
Can you try with a boolean, not a string? remove the quotes around “false”. Also, there’s a chance that this could just remove the brackets, but keep the quotes intact. Can you validate whether that is happening?
When a user requests this Access Profile, IDN generates a provisioning plan containing the requested entitlements.
The $plan.roles$ variable aggregates the requested roles. Since roles is single-valued, IDN combines the entitlements into a single string, typically comma-separated, based on the connector’s configuration or API expectations.
