Web Services Reference Attributes in Provisioning Plan added by Before Provisioning Rule

Identity Security Cloud (ISC) ISC Discussion and Questions
, , , ,
1

Hey everyone,

I am working on a Web Services connector for Cohesity and I am having some trouble referencing some attributes in the Provisioning Plan. So I was wondering if anybody knew the correct way to reference them.

I am working on an Add Entitlement operation. For the Cohesity API, to add/remove access, a PUT call needs to be made to update the role (entitlement) memberships for a user’s account. So for this call to be made, we need all of the non-entitlement account attributes to be sent in the body along with the roles the account should have.

I used the Before Provisioning rule triggered on an Entitlement Update Trigger for anytime something is being added to add the account attributes to the provisioning plan using the AddArgumentIfNotNull event actions. The attributes are firstName, lastName, emailAddress, and username. The ccg log dumps the Provisioning Plan for the failed request and I can see these attributes being populated correctly:

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE ProvisioningPlan PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<ProvisioningPlan nativeIdentity="Zach Test10">
  <AccountRequest application="Cohesity [source]" nativeIdentity="REMOVED FOR FORUM POST" op="Modify">
    <Attributes>
      <Map>
        <entry key="emailAddress" value="[email protected]"/>
        <entry key="firstName" value="Zach"/>
        <entry key="lastName" value="Test10"/>
        <entry key="username" value="[email protected]"/>
      </Map>
    </Attributes>
    <AttributeRequest name="roles" op="Add" value="COHESITY_USER"/>
  </AccountRequest>
  <Attributes>
    <Map>
      <entry key="accessRequestType" value="GRANT_ACCESS"/>
      <entry key="identityRequestId" value="REMOVED FOR FORUM POST"/>
      <entry key="requester" value="REMOVED FOR FORUM POST"/>
      <entry key="source" value="LCM"/>
    </Map>
  </Attributes>
</ProvisioningPlan>

So the attributes seem to be passed to the Provisioning Plan correctly, but when I try to reference them in the body of the Add Entitlement operation, they are not getting populated. Here is the ccg error indicating such:

{
    "stack": "ccg",
    "pod": "cook",
    "connector-logging": "148",
    "Operation": "Modify",
    "clusterId": "REMOVED FOR FORUM POST",
    "buildNumber": "REMOVED FOR FORUM POST",
    "apiUsername": "REMOVED FOR FORUM POST",
    "orgType": "",
    "file": "AbstractHttpRequestBuilder.java",
    "encryption": "REMOVED FOR FORUM POST",
    "messageType": "provision",
    "connector-bundle-identityiq": "REMOVED FOR FORUM POST",
    "line_number": 339,
    "@version": 1,
    "CB_version": "REMOVED FOR FORUM POST",
    "logger_name": "sailpoint.connector.webservices.v2.AbstractHttpRequestBuilder",
    "mantis-client": "REMOVED FOR FORUM POST",
    "class": "sailpoint.connector.webservices.v2.AbstractHttpRequestBuilder",
    "ParentOperation": "ProvisioningOperation",
    "clientId": "REMOVED FOR FORUM POST",
    "request_milliseconds": "470",
    "source_host": "REMOVED FOR FORUM POST",
    "method": "prepareRawBody",
    "org": "vsp-sb",
    "level": "DEBUG",
    "IdentityIQ": "8.0 Build 8c8b048e0b1-20230412-073948",
    "message": "Value for placeholder ''attributes.firstName'' is empty. Skipping...",
    "pipeline": "REMOVED FOR FORUM POST",
    "@timestamp": "2023-06-13T15:18:29.149Z",
    "NativeIdentity": "REMOVED FOR FORUM POST",
    "thread_name": "pool-5-thread-59",
    "metrics": "REMOVED FOR FORUM POST",
    "region": "us-east-1",
    "AppType": "Web Services",
    "Application": "Cohesity [source]",
    "request_id": "REMOVED FOR FORUM POST",
    "CB_Type": "connector-bundle-webservices",
    "queue": "cook-vsp-sb-cluster-1219",
    "SCIM Common": "REMOVED FOR FORUM POST"
}

As you can see from the message above, I was trying to use $attributes.firstName$ to reference the firstName value in the Provisioning Plan. I have also tried $plan.firstName$ and $plan.attributes.firstName$ and none are not receiving the values.

Does anybody know the correct way to reference these attributes from the Provisioning Plan that were added by the Before Provisioning Rule?

Thank you in advance for taking a look at this!

2

The provisioner is filtering out those AttributeRequests before they hit the connector because the account already has matching values for those attributes in IDN. It may not be possible to use a BeforeProvisioning rule to achieve your desired outcome here. What you should probably be using is a Web Services Before Operation rule to modify the body of the HTTP request to include those additional attributes in your JSON body since the endpoint requires them.

1 Like
3

Okay, thanks Patrick!

Do you happen to have an example of a Before Operation rule to add account attributes to the request body handy? If not, it’s fine, I don’t have much experience writing Before Operation rules but I am very eager to learn!

4

I am not familiar with Cohesity API, and hence wondering if there is a PATCH option to use instead of PUT. If not, workaround I can think of is sending a GET request to Cohesity API inside BeforeOperation Rule and get all user details directly there. Once you have the details, you can create/update the Request body to update the details using changes received from IDN provisioner.

5

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.