WebService Connector - How add a "prefix" to the entitlement name?

Hi all,

I’ve the HTTP Operation: Aggregate Entitlements, that is a Group Aggregation type…

Its working all fine… but now I wanna add an prefix to name that comes from API… but today the entitlement is like this way → name: “TEST 1” / id: 1 but I wanna it on Sailpoint as → name: “API - TEST 1” / id: 1…

1. the only way to achieve this is using Web Service After Operation Rule?
2. the Web Service After Operation Rule allows only Java?
3. How can I debug this? And have any ready sample to do an Web Service After Operation Rule?

Thanks all!!

this seems like the simplest approach

However, even if you add the prefix to the Entitlement name, when you are assigning these entitlements to a new user, would you be able to remove the prefix before provisioning/operations? just a thought…

I just wanna add the prefix in the name like this screen

image1064×400 39.3 KB

My entitlement schema has name and id

image1067×304 11.3 KB

in my mind, it will use “id” to operations like aggregation no?

Hi @leonardo_lsilva,

Yes, “Entitlement id” is unique for a specific entitlement, but while provisioning you are going to write the code by fetching the value right?

@iamnithesh just want you to have this constraint in mind while configuring provisioning operations. Either use the entitlement id as reference, or use the entitlement name with the prefix removed.

To answer the question if you will be only using the id for all operations, it depends on the target application you use.
Does it require the entitlement id or entitlement name for associating or disassociating its reference from a source account. In most cases yes, entitlement id will be used for it.

Related to other questions,

1. the only way to achieve this is using Web Service After Operation Rule? - Yes, straightforward way to do it. Logically makes sense to put your logic there
2. the Web Service After Operation Rule allows only Java? - Yes
3. How can I debug this? And have any ready sample to do an Web Service After Operation Rule? - You can enable debugging at VA Cluster and you should start seeing logs inside VA for any loggers you add inside your code at ccg.log or error.log. The official documentation has a good reference with a simple use case do check this page

Hey @gladstoneabrahamr,

Thanks for the answers, the target system uses only the ID as reference, the entitlement name is only for display, so I understand that is save change it on import and work with ID without striping out the prefix from the name…

Now I will tryout the Java code… its a new adventure, would be good if we had a entire sample project as IntelliJ for exemple

In my case would be this link no?

Hi @leandrocorreia,

then I think it’s not a problem you can go ahead with the prefixing without worrying about provisioning.

Java code should be straightforward, you will know once you start your adventure don’t worry.

Yes, you should use After Operation Rule to update this prefix.

a sad thing is, that the samples in the link is from the final code… and don’t have any place showing how develop this code… I’m guessing that I need make a test class and mock the input into a main() is that way?

You need to set id as both Entitlement ID and Entitlement Name here

Hey… new problem…

I’m trying this…

image1009×381 39.4 KB

And got this…

image1068×783 47.8 KB

I did the get in this source…

The HTTP Operation that I wanna is the second… so shouldn’t be 1 as I did?

You don’t have to write the entire code and main function and stuff.

To give a rough visualization of how rule works, consider that you are writing the code that is inside a callable function. What ever you write into it will be executed line by line. you don’t have to worry about how that is called or if there is a main function.

To kind of walkthrough the documentation you have the inputs section that available to be directly accessed. for example if you see the in the Example Section they would have used rawResponseObject in the line

Map response = (Map) JsonUtil.toMap(rawResponseObject);

Meaning it’s available across your Java code all the 5 inputs

Screenshot 2023-09-21 at 9.17.07 PM1942×1700 377 KB

When you take Output section into consideration, the code that write should have a return statement with that data,

Screenshot 2023-09-21 at 9.18.02 PM1976×702 99.7 KB

If you see the example section you would notice that we have,

Map updatedMapInfo = new HashMap();
// some code logic you want to do
return updatedMapInfo;

Hope this gives you a rough context of how to get started with rules.

Can you try with the following,

[
  {
    "op": "add",
    "path": "/connectorAttributes/connectionParameters/1/afterRule",
    "value": "After Rule - PREFIX_NOME_PERMISSAC"
  }
]

It varies depending on if the attributes is already there in that path, if already have it you can perform replace operation. If not you will have perform add operation.

That’s it! worked like a charm!!

But now… new quest unlocked…

in ccg.log… I got this message:

"message":"CCG CACHE [Rule] OBJECT NOT IN CACHE: nameOrId - After Rule - PREFIX_NOME_PERMISSAO"

I did the create post…

    "id": "xxx",
    "name": "After Rule - PREFIX_NOME_PERMISSAO",
    "created": "2023-09-21T15:30:30.945Z",
    "modified": null

I need do anything more to activate this?

Can you elaborate more on when you are getting this error? and is that the full error from the log?

Once rule is created and associated it should start working no additional steps is needed.

First I executed “cat ccg.log | grep PREFIX_NOME_PERMISSAO” into sandbox-va

then I got this error:

{"stack":"ccg","pod":"stg08-useast1","connector-logging":"148","clusterId":"157","buildNumber":"917","apiUsername":"10fa11fa-a8a6-45c2-aad6-b4c4b885999c","orgType":"","file":"CloudPersistenceManager.java","encryption":"1266","messageType":"aggregate","connector-bundle-identityiq":"206","line_number":177,"@version":1,"CB_version":"1015","logger_name":"com.sailpoint.ccg.persistence.CloudPersistenceManager","mantis-client":"1266","class":"com.sailpoint.ccg.persistence.CloudPersistenceManager","atlas-api":"1752","va-gateway-client":"45","clientId":"481","request_milliseconds":"874","source_host":"6ff2c3afdf46","method":"logCacheWarning","org":"americanas-sb","level":"WARN","IdentityIQ":"8.3p4 Build 1527a593753-20230805-223436","message":"CCG CACHE [Rule] OBJECT NOT IN CACHE: nameOrId - After Rule - PREFIX_NOME_PERMISSAO_TESTE_UM","pipeline":"1266","@timestamp":"2023-09-21T16:17:20.504Z","thread_name":"pool-7-thread-89","atlas-util":"1752","metrics":"1266","region":"us-east-1","AppType":"Web Services","Application":"TESTE_UM [source]","request_id":"7b073764b4da48d5b921d80ee701231b","CB_Type":"connector-bundle-webservices","queue":"stg08-useast1-americanas-sb-cluster-157","SCIM Common":"8.0 Build 00b1f252d1b-20200225-190809"}

I created a simple after rule to just log payloads… and check what is the values that transit… my next step is add the prefix…

import java.util.ArrayList;
import java.util.HashMap;
import java.util.Map;
import java.util.regex.Pattern;
import java.util.regex.Matcher;
import connector.common.JsonUtil;
import connector.common.Util;
import sailpoint.connector.webservices.EndPoint;
import sailpoint.connector.webservices.WebServicesClient;
import sailpoint.object.Application;
import sailpoint.object.ProvisioningPlan;
import sailpoint.object.ProvisioningPlan.AccountRequest;


log.info("TEST_UM_SRC - rawResponseObject = " + rawResponseObject);
log.info("TEST_UM_SRC - processedResponseObject = " + processedResponseObject);
return processedResponseObject;

I don’t think the error you are seeing is related to the Rule you are trying to execute. I think there is some issue with your VA. I see that this log is a WARN type log, can you check if the rule got executed after the WARN message.

cat ccg.log | grep TEST_UM_SRC

There has been a forum question suggesting to create a support ticket.

I will check…

But as I could constate my rule was not executed… because I had set a specific string at logs but I could not find it on cat | grep… so… this tells me that the after rule wasn’t executed

When I run a manual Entitlement Aggregation, it’s supposed to run the HTTP Operation that check groups and them the WebServiceAfterOperation Rule that I wish no? So running every time that I run a manual Entitlement Aggregation the logs that I had set should be there at ccg.log right?

image1606×372 25.6 KB

Yes @leonardo_lsilva, that would be the expected behaviour.

As long as you have the operation type as “Group Aggregation”

Screenshot 2023-09-21 at 11.51.40 PM1722×176 8.9 KB

Yeah… its correct…

image1244×718 41.7 KB

So… its true… my WebServiceAfterOperation isnt running or not logging right… I will try change .info to .warn and see what happens

Using Linux… do you have any tip to convert the code to string and post it on API? I’m using Postman

My code is:

import java.util.ArrayList;
import java.util.HashMap;
import java.util.Map;
import java.util.regex.Pattern;
import java.util.regex.Matcher;
import connector.common.JsonUtil;
import connector.common.Util;
import sailpoint.connector.webservices.EndPoint;
import sailpoint.connector.webservices.WebServicesClient;
import sailpoint.object.Application;
import sailpoint.object.ProvisioningPlan;
import sailpoint.object.ProvisioningPlan.AccountRequest;


log.warn("WARN - UBRELLA_SRC - rawResponseObject = " + rawResponseObject);
log.warn("WARN - UBRELLA_SRC - processedResponseObject = " + processedResponseObject);

log.warn("INFO - UBRELLA_SRC - rawResponseObject = " + rawResponseObject);
log.warn("INFO - UBRELLA_SRC - processedResponseObject = " + processedResponseObject);

log.warn("DEBUG - UBRELLA_SRC - rawResponseObject = " + rawResponseObject);
log.warn("DEBUG - UBRELLA_SRC - processedResponseObject = " + processedResponseObject);

log.error("ERROR - UBRELLA_SRC - rawResponseObject = " + rawResponseObject);
log.error("ERROR - UBRELLA_SRC - processedResponseObject = " + processedResponseObject);

return processedResponseObject;

Give it a try with .error, which works better that the rest

You can check both ccg.log and error.log

With error you don’t have to worry about the log level configurations too.