When removing a role, after executing update provisioning policy, sailpont is unable to proceed to process before provisioning rule and Remove Entilement before operation rule

IdentityIQ (IIQ) IIQ Discussion and Questions
,
1

Hi, I am currently working on a webservice connector in SailPoint IIQ 8.3, I am encountering an issue wherein, when removing a role, after executing the update provisioning policy rule, it does not proceed to process the before provisioning rule and remove entitlement before operation rule.

2

Hi @norman_mercader,

sorry, I am little confuse.

where and how are you executing this rule?

Can you explain better?

Ps If you can share the code or some screenshoot

4

The expected process is; when removing a role from existing user, the first process is to execute the update provisioning policy rule, in the said rule there is an attribute named isConcurrent with boolean value that will be updated to true/false base on type of entitlements/group present in the role that is going to be removed, Then it should generate a plan that has the updated value for isConcurrent. Then in before provisioning rule, it will check the value of isConcurrent, If it is true, I have to add another attribute request to the plan and assign specific value to the attribute request. then it should proceed with the removal of entitlements/group. but what what happened was it only process the update provisioning policy rule and stopped.

By the way, in adding of role to existing user, it go through the same process before adding of entitlement/groups but it was successful.

5

Ok, maybe I understand :sweat_smile: :crossed_fingers:

like I would do:

On webservice:

  • Operations: getObject & Update Account configured

First Rule → Build the plan setting Modify like operation
Before Rule → Control and add(or not) the attribute in according to logic
Before Operation Rule → change the body to send

Its very import to have the getObject because after each change, SP launch an getObject to update th object on SP. If you dont have it, you need to make an aggregation.

Do you have the getObject op?

So, if the remove doesnt work could be for some reasons.

  • Plan: check the operation and the attributes(but I think in your case its correct)
  • Operation: check if you launch the correct operation
  • Body: check if the body have all the property that you want and it accepted by the webservice

Also, review the logs, write new on your rules and check every step and active the webservice logs(log4j guide):
log4j.logger.openconnector.connector.webservices.WebServicesConnector=debug (or trace)

6

these are the operation that I have configured:

image
image1698×721 65.7 KB

1 Like
7

By the way, my code for removal of entitlements was already tested and working, I just encountered this issue last week.

8

can you share how you build the plan and the rule?

10

Actually, I just build the rule from update provisioning policy

image
image1417×762 21.1 KB

during the time that the execution was successful, after executing update provisioning policy rule it dump the application then proceed with the execution of before provisioning rule and remove entitlements before operation rule.

image
image1522×523 50.8 KB

image
image1255×561 33.9 KB

image
image1323×687 43.3 KB

but, during the time that it failed it did not dump the application and did not proceed with the execution of before provisioning rule and remove entitlements before operation rule

image
image1616×470 89.5 KB

11

without look the code is little hard.

But there:
image
the request remove a groups and add a role, its correct?
Is it by any chance that this role assigns the group you are deleting?

14

The user was assigned with 2 roles, role1 have this 2 groups or entitlements

image
image872×43 14.7 KB

and role2 has this group or entitlement

image
image872×48 15 KB

and I tried to create a request to remove role2.
image

the groups with CONC in the group name is considered concurrent group and the one that doesn’t have CONC is non concurrent. the requirement in the application, if the assigned groups are all concurrent, we assigned a value true to isconcurrent attribute and assign specific value to the roles attribute, if the value of isconcurrent is false we do not assign value to roles attribute. in the example on the screenshot, I tried to remove the non concurrent group so the remaining assigned groups are concurrent groups. that is why in the plan you can see that the roles attribute has the op value of add.

The main issue is; after executing the isconcurrent update provisioning policy rule, it did not trigger the before provisioning rule and remove entitlement before operation rule, that is why the removal was failed.

For additional information, I tried to request the role removal via batch request but the batch request also failed to execute because of this error

image
image767×192 11.1 KB

and upon tracing the error message, I found out that the log error is coming from the code of workflow object
image
image1311×62 4.2 KB

15

can you share the rule?

16

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.