Hi Folks,
need a little help. There is a workflow designed to provision data to a PAM client, CyberArk. Workflow has steps to create a personal safe, local cyberark account and then add the user, privileged data, managing CPM etc to the same safe. initially i tested out all of these functionalities individually through standalone rules, and they worked well, but now when i trigger the same through the workflow, it errors out at 2 steps, to add managing CPM, to add local cyberark account to this safe. any one has clue what could be the problem ?
error is as below
An unexpected error occurred: sailpoint.tools.GeneralException: The application script threw an exception: sailpoint.tools.GeneralException: Expected to find a single target for “Safename” on PAM BSF info: script at line: 0 column: columnNo
this error was while trying to add CPM, when i check logs, it did trigger the transaction and was able to committ it as well,
Found a post on compass, while this does help, but i am not sure about the user experience on waiting for aggregation to run before they could use PAM portal. if anyone has better approaches , please do let me know
Hi @rohit_jaiswal1
Can you please provide us with more information like is it a custom workflow, application connector type, Is PAM module being used for this integration.
I guess you can add a step in the workflow to aggregate the safe. The method aggregateSpecificGroup/aggregateSpecificTargets from GroupLibrary(sailpoint.workflow)can be used to aggregate the single object depending on whether you are using PAM module or not.
The error you have highlighted looks a bit confusing. Based on the error message it looks like there are more than one target with the same safe name.
An unexpected error occurred: sailpoint.tools.GeneralException: The application script threw an exception: sailpoint.tools.GeneralException: Expected to find a single target for “Safename” on PAM BSF info: script at line: 0 column: columnNo
Its a custom workflow to create a provisioning plan. and yes PAM module is being used to connect with CyberArk SCIM Client.
Could you help me with the “aggregate step in wf” error is because SP is expecting the safe to be here in managed attributes through target aggregation but it doesnt find it as its a newly created safe as part of the workflow. Viable solution for me was to add a wait step, as there are too many safes in target system I cannot run full aggregation too frequently .
intially error got me confused as well maybe finding more than one target, but its 0 target in SP thats why
This is occurring because you are trying to execute a PermissionRequest against the newly created safe to add user permissions to it. A Target object in IIQ needs to exist for this to happen properly without errors. I ran into the same issue when creating a similar workflow for CyberArk.
You have a couple of options to fix this:
In your workflow, run a Target Aggregation against your CyberArk application to aggregate in the new safe as a target object before you attempt to add the permissions to the user. This can take a while depending on how much data is in your CyberArk environment. I think later versions of IIQ might have the capability of aggregating a single Target but I never got too into it since I was on an older version at the time
If the safe creation step is successful, you can create a Target object yourself to represent what would have come in on the next Target Aggregation so it fulfills the requirement of having the Target object for the PermissionRequest. This way you can move your workflow forward without having to wait for an aggregation. Example snippet below
//Creates Target object directly in IIQ to avoid waiting for Target Aggregation to run
TargetSource targetSource = context.getObjectByName(TargetSource.class, "PAMTargetCollector");
Target newTarget = new Target();
newTarget.setDisplayName(safeName);
newTarget.setFullPath(safeName);
newTarget.setName(safeName);
newTarget.setNativeObjectId(safeName);
newTarget.setTargetSource(targetSource);
newTarget.setUniqueNameHash(Target.createUniqueHash(safeName));
context.saveObject(newTarget);
context.commitTransaction();
I didn’t read too much before I responded. @Jarin_James 's response looks like exactly what you need. Add a step in your workflow which uses the call aggregateSpecificTargets after you create the safe. It is going to expect your workflow step to have the following arguments:
pamContainersToAggregate
applicationName
You’ll also need to make sure your Workflow’s libraries attribute has Group in it.
The details @patrickboston mentioned is the information required for target aggregation. Since you are using PAM Module, please refer the Entitlement Update Workflow and it will provide you with more information. The entitlement update workflow is having 2 additional variables
pamContainersToAggregate
pamContainerToGroupAggregate
These variables are used to trigger single Target aggregation and group aggregation via the Workflow steps Aggregate Specific Targets and Aggregate Specific Group.