I experienced issues with duplicate entitlements being created for an Active Directory application. The issue appeared when there were nested AD groups that were inheriting other groups.
The symptom was some rogue ManagedAttribute objects with type="Entitlement" instead of "group" which caused a failure "Exception during aggregation of <group>. Reason: could not insert: [sailpoint.object.ManagedAttribute]
The issue came down to some bad settings:
First, in the Active Directory account aggregation, the Promote Managed Attributes checkbox was checked. This should only be checked if there is NO account group aggregation. The account group aggregation replaces this checkbox.
Second, the memberOf schema value on the account was not set to schemaObjectType of group. This, along with Managed, Entitlement, and Multi-Valued, are required for this field.
Finally, the memberOf schema value on the group was not set to schemaObjectType of group. Also while the Entitlement and Multi-Valued checkboxes were set, the Indexed was not, and so I set that Indexed in order to match another successfully running application on a different AD domain.
To summarize, for AD connections:
On account aggregation, do NOT select "Promote Managed Attributes"
On the account schema, select group as the schemaObjectType, plus Managed, Entitlement, and Multi-Valued
On the group schema, select group as the schemaObjectType, plus Entitlement, Multi-Valued, and Indexed.
Wednesday, December 18, 2019
Monday, December 2, 2019
Figuring out how to work with getOp or getOperation
The classes ProvisioningPlan.AccountRequest and ProvisioningPlan.AttributeRequest have operations associated with them. Here's how to query and use them. This might be updated as I gather more info.
AccountRequest actually has two flavors:
sailpoint.object.ProvisioningPlan.AccountRequest
sailpoint.integration.ProvisioningPlan.AccountRequest
The former is used internally for building and requesting, the latter is passed into IntegrationConfig classes.
Starting with the former, it has the following operation method:
sailpoint.object.ProvisioningPlan.AccountRequest.Operation getOperation()
This returns an enum one of the following:
Create
Delete
Disable
Enable
Lock
Modify
Unlock
Unless there is an account type request, most of the time this will be Modify, for modifying data or adding or removing entitlements. Two easy ways to deal with this are:
if (AccountRequest.Operation.Enable == acctReq.getOperation()) {
This defends against an NPE
and the less preferred
if("Enable".equals(acctReq.getOperation().valueOf()) {
For the AttributeRequests, that class does not have its own getOperation method, it inherits the following method from sailpoint.object.ProvisioningPlan.GenericRequest:
sailpoint.object.ProvisioningPlan.Operation getOp()
This returns an enum one of the following:
Add
Remove
Retain
Revoke
Set
You will most likely see Add, Remove, and Set and can use:
if (ProvisioningPlan.Operation.Add == attrReq.getOp()) {
or the less preferred:
if ("Add".equals(attrReq.getOp().valueOf())) {
For sailpoint.integration.ProvisioningPlan.AccountRequest the following method is provided:
String getOperation()
Which returns the valueOf for one of the ProvisioningPlanAccountRequest.Operation constants
and for sailpoint.integration.ProvisioningPlan.AttributeRequest the following method is provided:
String getOperation()
Which returns the valueOf for one of the ProvisioningPlan.Operation constants.
AccountRequest actually has two flavors:
sailpoint.object.ProvisioningPlan.AccountRequest
sailpoint.integration.ProvisioningPlan.AccountRequest
The former is used internally for building and requesting, the latter is passed into IntegrationConfig classes.
Starting with the former, it has the following operation method:
sailpoint.object.ProvisioningPlan.AccountRequest.Operation getOperation()
This returns an enum one of the following:
Create
Delete
Disable
Enable
Lock
Modify
Unlock
Unless there is an account type request, most of the time this will be Modify, for modifying data or adding or removing entitlements. Two easy ways to deal with this are:
if (AccountRequest.Operation.Enable == acctReq.getOperation()) {
This defends against an NPE
and the less preferred
if("Enable".equals(acctReq.getOperation().valueOf()) {
For the AttributeRequests, that class does not have its own getOperation method, it inherits the following method from sailpoint.object.ProvisioningPlan.GenericRequest:
sailpoint.object.ProvisioningPlan.Operation getOp()
This returns an enum one of the following:
Add
Remove
Retain
Revoke
Set
You will most likely see Add, Remove, and Set and can use:
if (ProvisioningPlan.Operation.Add == attrReq.getOp()) {
or the less preferred:
if ("Add".equals(attrReq.getOp().valueOf())) {
For sailpoint.integration.ProvisioningPlan.AccountRequest the following method is provided:
String getOperation()
Which returns the valueOf for one of the ProvisioningPlanAccountRequest.Operation constants
and for sailpoint.integration.ProvisioningPlan.AttributeRequest the following method is provided:
String getOperation()
Which returns the valueOf for one of the ProvisioningPlan.Operation constants.
Subscribe to:
Posts (Atom)