Webservice connector Add Entitlement issue

Which IIQ version are you inquiring about?

8.2p3

Share all details about your problem, including any error messages you may have received.

I am working on webservice connector , the application has only 1 webservice function - Provisioning.
for create i am calling this and working fine
when adding new role (entitlement) , its calling Add entitlement but its giving null point exception (this is same webservice call as Create account with post and required all attributes value same as provisioning)
once it fail , its calling modify operation and updating the new role.

if i remove Add entitlement operation its throwing error but again calling the modify operation.

how to solve this why its calling modify operation , after add entitlement?

Thanks.

Hi @poornarao,

Welcome to the Developer Forum.

One reason I could think of is that your Provisioning Plan might include an attribute which is not marked as entitlement.

For example,

I want to update role and department of an user. I am passing both of these values in the plan. Under the account schema, only the role is marked as entitlement. In such case, during provisioning - Add Entitlement call would be made to update the role of the user. While Update Account call would be made to update the department of the user.

Please check if that’s case.

thanks Sinojia.

in my case same webservice end point need to call for create , update and add role(entitlement) or remove role operation with same payload.
how i can resolve by not calling add entitlement and after again calling update ?

Poorna,

I don’t think I could solve your issue just through a chat like this, but after developing about 10 interfaces using the Web Services connector, I would say I have seen it all. The Web Services connector is really just a framework, and in order to work with it you need to understand the framework. In my experience, adding before and after rules, where I study the variables being passed around, is the first step to understanding what this connector does. There’s also a wealth of information available by increasing the log levels on the framework components.

To really diagnose your issue, you will need to know what the connector is attempting to do, and then understand how that is different from what you want it to do. Studying the plan in the Before provisioning Rule is helpful, also study the requestEndPoint in the Entitlement Before Operation rule as well as the passed in provisioningPlan.

I recall encountering a similar issue in IDN, where the CREATE action was invoking the Add Entitlement function, but there were no entitlements for the application, and the account needed to be provisioned through Joiner LCE. To resolve this, we created a static entitlement using the Get Groups/Entitlement operation. For the Add Entitlement process, we returned the name of this static entitlement in the response. We applied the same approach for the Remove Entitlement function, as it gets triggered when you attempt to disable the account. I can provide more details if needed.

When we don’t have entitlements but we have requirements for provisioning accounts, it means creating an account with no entitlements in the role. You can do one thing. Use a provisioning policy form in a business role. In the provisioning policy form, just add the application; you don’t need to add any attributes (if you want, you can). So that when a role is requested and after approval, SailPoint will try to create an account and will invoke the pertcular application’s create provisioning policy form because we used application in the role. Here we don’t need to use the IT role and don’t require any dummy groups as well. Just a business role is enough.

The reason why it is working is that if you see the plan, the account request for the plan will be IIQ, not for the specific application because it is role. To invoke the specific account provisioning policy form, you have to use this way in the role to invoke the form while creating the account.

Hey @poornarao,

I recently worked on integrating SOAP APIs, where we had same URL for all the operations. I used configuration parameters to skip the add entitlement call.

Please check the configuration parameters from here. Especially following ones:

  • createAccountWithEntReq - Skips “Add Entitlement” call during “Create Account”.
  • addRemoveEntInSingleReq - Makes a single call to “Add Entitlement” or “Remove Entitlement”.
  • skipGetObjectInCreate - “Get Object” operation is NOT called after the “Create Account” operation.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.