Workflow - PAG - Active Directory command - "Error Handler" bug?

questjj · May 1, 2025, 9:44pm

PAG - get account - error handler => I am attempting command “Get User by SAM Account Name”, if the account is found, everything works fine, but when I enter a sam that does not exist, I am experiencing a “stop execution” error instead of flowing into the “false” path of the exception handler. My end goal would be to go down a false path after lookup, confirming account name is unique, then create the account in AD.

Bug or am I missing something?

IAM_Tanay · May 1, 2025, 10:07pm

Hi @questjj , I don’t think PTA workflows support Account Creation. The current documentation on PTA doesn’t provide command s to create account. It provides command on enable , disable, unlock.

questjj · May 1, 2025, 11:41pm

Right, I’m specifically asking about the failed error handling.

questjj · May 2, 2025, 6:44pm

looks like error handling is working as expected today. this topic can be closed.

IAM_Tanay · May 5, 2025, 2:42pm

@questjj That’s great.
Jason we have a requirement where we are trying to create security groups.
Before providing these commands in workflow . Did you configured a AD source & a credential provider and hosted these 2 on the Privileged Gateway VA. I am trying to understand from where would this workflow fetch the credential & OU details ?

As per sailpoint documentation Credential Provider is a pre-requiste but how will it be used in this workflow.

Thanks,
Tanay

questjj · May 5, 2025, 9:26pm

@IAM_Tanay

First you configure a credential provider, I used the Delinea one. This will use your standard VA, not a privileged Gateway.
Test this works by using it as the password provider for something like an existing JDBC source, messing with that until you get the path logic correct.

-Then you stand up one or more Priv VA’s.

In a workflow, try a PAG Active Directory task. It will prompt you for your new Priv VA cluster, then in your authentication settings, you just give it the path to your credentials via the credential server (that you figured out in the Test I suggested above)

IAM_Tanay · May 7, 2025, 3:07pm

Thank you @questjj . In my workflow I have added only 3 steps for now . I am trying to use List OUs command.

I am getting “command invocation expired” error. Did you found anything related on this.

Thanks,
Tanay

naluvala · May 29, 2025, 12:06pm

@questjj

I am trying to create AD groups using PAT worflows and i am using hashicorp(On prem) as a credentail provider. When i test the workflow my worflow is getting struck on get organizational units step. I am not getting any error in pag logs as well and workflow is not moving forward and when we see workflow executions we see the step as activity schedlued but its not started. Any help here would be greatly appriciated. If you can help us where exactly we will get the pag logs that would be of great help.

Thanks,