Web Services Create Account Operation with Entitlements

Identity Security Cloud (ISC) ISC Discussion and Questions
, , , , ,
1

Hey everyone,

My main question is how do I include the requested entitlements in a Create Account operation for a Web Services connector?

We are working on implementing a Web Services connector for Cohesity Helios and we are running into an issue with the Create Account operation. The Helios API for creating users/accounts requires that an account is created with at least one role (entitlement, called role in Helios), or else the API will reject the account creation.

So for the body of the Create Account operation, I used this:

{
  "username": "$plan.username$",
  "firstName": "$plan.firstName$",
  "lastName": "$plan.lastName$",
  "emailAddress": "$plan.emailAddress$",
  "roles": [
    "$plan.roles$"
  ]
}

If I instead hard code $plan.roles$ to an entitlement value, such as “COHESITY_VIEWER”, the account creates successfully so all of the other attributes are being populated correctly.

In looking at the ccg logs, I can see this for the provisioning plan that was constructed:

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE ProvisioningPlan PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<ProvisioningPlan nativeIdentity="REMOVED_FOR_FORUM_POSTING">
  <AccountRequest application="Cohesity [source]" op="Create">
    <AttributeRequest name="roles" op="Add" value="COHESITY_VIEWER"/>
    <AttributeRequest name="username" op="Add" value="REMOVED_FOR_FORUM_POSTING"/>
    <AttributeRequest name="emailAddress" op="Add" value="REMOVED_FOR_FORUM_POSTING"/>
    <AttributeRequest name="firstName" op="Add" value="REMOVED_FOR_FORUM_POSTING"/>
    <AttributeRequest name="lastName" op="Add" value="REMOVED_FOR_FORUM_POSTING"/>
  </AccountRequest>
  <Attributes>
    <Map>
      <entry key="accessRequestType" value="GRANT_ACCESS"/>
      <entry key="identityRequestId" value="REMOVED_FOR_FORUM_POSTING"/>
      <entry key="requester" value="REMOVED_FOR_FORUM_POSTING"/>
      <entry key="source" value="LCM"/>
    </Map>
  </Attributes>
</ProvisioningPlan>

The above XML seems to indicate that the ‘roles’ attribute is being populated with the requested entitlement.

However, later in the ccg logs I can see this message (referring to the ‘message’ line):

{
    "stack": "ccg",
    "pod": "cook",
    "connector-logging": "148",
    "Operation": "Create",
    "clusterId": "REMOVED_FOR_FORUM_POSTING",
    "buildNumber": "REMOVED_FOR_FORUM_POSTING",
    "apiUsername": "REMOVED_FOR_FORUM_POSTING",
    "orgType": "",
    "file": "AbstractHttpRequestBuilder.java",
    "encryption": "REMOVED_FOR_FORUM_POSTING",
    "messageType": "provision",
    "connector-bundle-identityiq": "REMOVED_FOR_FORUM_POSTING",
    "line_number": 339,
    "@version": 1,
    "CB_version": "REMOVED_FOR_FORUM_POSTING",
    "logger_name": "sailpoint.connector.webservices.v2.AbstractHttpRequestBuilder",
    "mantis-client": "REMOVED_FOR_FORUM_POSTING",
    "class": "sailpoint.connector.webservices.v2.AbstractHttpRequestBuilder",
    "ParentOperation": "ProvisioningOperation",
    "clientId": "REMOVED_FOR_FORUM_POSTING",
    "request_milliseconds": "1058",
    "source_host": "REMOVED_FOR_FORUM_POSTING",
    "method": "prepareRawBody",
    "org": "REMOVED_FOR_FORUM_POSTING",
    "level": "DEBUG",
    "IdentityIQ": "REMOVED_FOR_FORUM_POSTING",
    "message": "Value for placeholder ''plan.roles'' is empty. Skipping...",
    "pipeline": "1266",
    "@timestamp": "2023-05-25T16:48:55.638Z",
    "NativeIdentity": "REMOVED_FOR_FORUM_POSTING",
    "thread_name": "REMOVED_FOR_FORUM_POSTING",
    "metrics": "REMOVED_FOR_FORUM_POSTING",
    "region": "REMOVED_FOR_FORUM_POSTING",
    "AppType": "Web Services",
    "Application": "Cohesity [source]",
    "request_id": "REMOVED_FOR_FORUM_POSTING",
    "CB_Type": "connector-bundle-webservices",
    "queue": "REMOVED_FOR_FORUM_POSTING",
    "SCIM Common": "REMOVED_FOR_FORUM_POSTING"
}

The above log indicated that the plan.roles variable is empty and in the next part of the logging, it is removed from the body:

{
    "stack": "ccg",
    "pod": "cook",
    "connector-logging": "148",
    "Operation": "Create",
    "clusterId": "REMOVED_FOR_FORUM_POSTING",
    "buildNumber": "REMOVED_FOR_FORUM_POSTING",
    "apiUsername": "REMOVED_FOR_FORUM_POSTING",
    "orgType": "",
    "file": "JsonRequestBuilder.java",
    "encryption": "REMOVED_FOR_FORUM_POSTING",
    "messageType": "provision",
    "connector-bundle-identityiq": "REMOVED_FOR_FORUM_POSTING",
    "line_number": 122,
    "@version": 1,
    "CB_version": "REMOVED_FOR_FORUM_POSTING",
    "logger_name": "sailpoint.connector.webservices.v2.JsonRequestBuilder",
    "mantis-client": "REMOVED_FOR_FORUM_POSTING",
    "class": "sailpoint.connector.webservices.v2.JsonRequestBuilder",
    "ParentOperation": "ProvisioningOperation",
    "clientId": "REMOVED_FOR_FORUM_POSTING",
    "request_milliseconds": "1059",
    "source_host": "REMOVED_FOR_FORUM_POSTING",
    "method": "removePlaceholdersFromJson",
    "org": "REMOVED_FOR_FORUM_POSTING",
    "level": "DEBUG",
    "IdentityIQ": "REMOVED_FOR_FORUM_POSTING",
    "message": "Removing internal json: $plan.roles$ from request body for placeholder key: $plan.roles$",
    "pipeline": "REMOVED_FOR_FORUM_POSTING",
    "@timestamp": "2023-05-25T16:48:55.638Z",
    "NativeIdentity": "REMOVED_FOR_FORUM_POSTING",
    "thread_name": "REMOVED_FOR_FORUM_POSTING",
    "metrics": "REMOVED_FOR_FORUM_POSTING",
    "region": "REMOVED_FOR_FORUM_POSTING",
    "AppType": "Web Services",
    "Application": "Cohesity [source]",
    "request_id": "REMOVED_FOR_FORUM_POSTING",
    "CB_Type": "connector-bundle-webservices",
    "queue": "REMOVED_FOR_FORUM_POSTING",
    "SCIM Common": "REMOVED_FOR_FORUM_POSTING"
}

Does anybody have any thoughts on why the plan.roles variable does not seem to be getting populated correctly or how I should be referencing the entitlements to be provisioned in the Create Account operation?

2

I’m afraid you have to write a Before Operation Rule in which you add the roles to the JSON manually.

Besides: Is there any documentation which attributes are supported by variables like $plan.X$ or $application.Y$?

3

did you manage to figure this out? Same issue here with another Web Service

4

Do you have the createAccountWithEntReq connector attribute enabled?
It can be set from the Additional Settings section in the source’s configuration page in the UI:

image
image874×199 8.47 KB

5

I have yet to find a solution for this. I did discover that checking the box for createAccountWithEntReq should allow for this functionality, I did not previously have this checked, but I still can’t figure out how to correctly reference the entitlements in the Create Account body with this checked.

Web Services Documentation and ‘createAccountWithEntReq’:
https://community.sailpoint.com/t5/IdentityNow-Connectors/Web-Services-Source-Configuration-Reference-Guide/ta-p/78511?_ga=2.215463583.9072797.1685457148-174873549.1684948098&_gl=1*x4k2iq*_ga*MTc0ODczNTQ5LjE2ODQ5NDgwOTg.*_ga_SS72Z4HXJM*MTY4NTQ1NzE0OC4zNy4xLjE2ODU0NTgyMzMuNC4wLjA.#accountRequest

6

Thanks Nathan I just submitted my previous post about this before I saw yours was posted.

I did notice that feature and have now enabled it, but how should I structure the Create Account body to leverage this?

7

The body you originally posted looks correct, assuming roles is still the exact name of the attribute in the account schema and it’s marked as multi-valued and entitlement.

8

Okay I got it to work using $plan.roles$ after modifying the body a bit after checking that box.

Now I am running into an issue with the Add Entitlements operation because the API required a PUT operation to update accounts. I think I need to write a BeforeOperation rule to account for this, but that is outside the scope of this thread.

Thanks Nathan for calling out that option, very much appreciated!

1 Like
9

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.