Hi All,
I have a Web Service connector source with accounts that are disabled with a field called enabled, but not reflecting correctly in the IDN UI, they still show as Enabled regardless of the actual boolean value for enabled.
Through forum snippets I’ve managed to piece together what I think is supposed to work, but it’s not behaving as expected. My understanding is that in the WebServiceAfterOperationRule you need to tell IdentityNow that the account is enabled/disabled by injecting the IIQDisabled field to the account attributes map before it’s returned to IdentityNow. This because IdentityNow has no “meaning” attached to my enabled field, nor any other as it relates to disabling or enabling an account, enabled is simply another generic string attribute.
Here is my code:
import connector.common.JsonUtil;
import java.util.Map;
import sailpoint.tools.GeneralException;
log.debug(rawResponseObject.toString());
Map accountMap = null;
try {
Map response = (Map) JsonUtil.toMap(rawResponseObject);
if (response.containsKey("data") && response.get("data") instanceof Map) {
accountMap = (Map) response.get("data");
if (accountMap.containsKey("enabled")) {
if (accountMap.get("enabled") instanceof Boolean) {
boolean isEnabled = (Boolean) accountMap.get("enabled");
if (isEnabled) {
log.debug("the user is enabled " + isEnabled);
accountMap.put("IIQDisabled", false);
} else {
log.debug("the user is disabled " + isEnabled);
accountMap.put("IIQDisabled", true);
}
} else {
log.warn("The 'enabled' field exists but is not a boolean");
}
} else {
log.warn("No 'enabled' field found in the data map");
}
} else {
log.warn("No data field found in response or data is not a Map");
}
}
catch (Exception e) {
log.error("Error processing response: " + e.getMessage());
}
if (accountMap != null) {
String accountMapJson = JsonUtil.toJson(accountMap);
log.debug("accountMap as JSON: " + accountMapJson);
}
else {
log.warn("accountMap is null, cannot convert to JSON");
}
return accountMap;
Viewing the logs I can see that my IIQDisabled field is coming through correctly, and that enabled=false users have the IIQDisabed=true coming back in the attribute payload.
Behavior:
- Re-aggregating a single account with
enabled=falsehas no effect. Even though IdentityNow sees thatenabledisfalseon the account (in the UI), the account remainsEnabledin the UI. - Unoptimized aggregation has the same behavior.
- Disabling the account manually, then re-aggregating did work. The setting and the account finally show as
Disabled
I feel like I’m missing something, as I’d expect this field to get updated without having IdentityNow initiate a disable operation for the account to reflect the correct state, based on what I’ve read in the forums.
I’ve also tried using booleans and strings in the value for IIQDisabled, as I saw different accepted responses in the forums for these values.
What am I missing? Thanks!
