Register Sign in Need help? FAQ SailPoint directory
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Aggregating a single account from an application

Aggregating a single account from an application

 

Overview

Deployment professionals configuring IdentityIQ sometimes a need to update IdentityIQ's model of a single account from an Application without the overhead and time needed for a full re-aggregation of all accounts from the Application.  This concept is called "single account aggregation", "targeted aggregation", or "single-account targeted aggregation".  These terms can be use interchangeably.  This article discusses approaches and examples that can be used to achieve single account aggregation in IdentityIQ.

 

By default, IdentityIQ aggregations process every account from the Application(s) being aggregated.  This behavior is designed to support the Access Review and Certification features of IdentityIQ where a complete, current, and accurate data set is required for a Certification to be valid.  When using IdentityIQ for provisioning and access-request and request-approval functions, a more real-time approach to retrieving the status of an account is necessary.

 

Most connector technologies in IdentityIQ support the concept of "Single account" aggregation. An notable exception to this is the delimited file connector, which due to the nature of how it reads data from a large delimited file, is unable to retrieve a single individual account. In addition, the JDBC connector requires the "getObjectSQL" parameter to be configured to support retrieving Account information one account at a time.  For most other connectors, the capability to retrieve an account in a one-off fashion is built into the connector technology.  At the code layer of the connector technology, the connector class must support the "getObject()" method in order to support single-account aggregation.

 

Approaches to single account aggregation

There are three ways in IdentityIQ to update the model of a single account, without running a full account aggregation against an application:

 

1) Via the user interface for LCM under Manage Access -> Manage Accounts -> For Others, select the Identity correlated to the account.

2) Modify the Application configuration temporarily with a filter include only the desired accounts, then run an aggregation.

3) Programmatically via the API, invoke the Aggregator to aggregate the single account directly.

 

The user interface / LCM approach

The first option uses the LCM features of IdentityIQ to refresh the status of an Identity's accounts. Under Manage Access -> Manage Accounts -> For Others, select the Identity correlated to the account you want to re-aggregate. Most directly-connected Applications will automatically re-aggregate the account in real time to update the status of the account when this page is loaded.  For other connector technologies a "refresh" button is provided on the right side of the screen which will cause IdentityIQ to re-aggregate that single specific account.  An example of this part of the user interface is shown here:

 

Screen Shot 2015-12-09 at 9.59.51 AM.png

 

The application configuration approach

The second option, discussed here (https://community.sailpoint.com/message/10188#10188) is cumbersome in that it requires administrative access to change the Application's configuration and then the execution of a specifically configured Account Aggregation task to operate.  In some scenarios it can work but in general it is not a recommended solution for everyday use.

 

The API based approach

The third option, the API-based option, is used to automate a number of processes on installations that need close to real-time accuracy of account information in IdentityIQ.  This is the recommended approach for installations that need to electronically automate the process of having IdentityIQ update a single account's status from an Application.  This approach has the advantage of allowing the user to pass information about an account that IdentityIQ has never seen before, allowing a single new account to be added to IdentityIQ's model without requiring a full re-aggregation. This approach also allows IdentityIQ to detect account deletions if the account name passed to the single account aggregation has been removed from the Application.

 

The following example snippet shows how to use the API-based approach, and a code review is provided below.

 

import sailpoint.object.Application;

import sailpoint.object.Attributes;

import sailpoint.object.Custom;

import sailpoint.object.Filter;

import sailpoint.object.Identity;

import sailpoint.object.Link;

import sailpoint.object.QueryOptions;

import sailpoint.object.ResourceObject;

import sailpoint.object.TaskResult;

import sailpoint.object.Rule;

import sailpoint.connector.JDBCConnector;

import sailpoint.api.Aggregator;

import sailpoint.connector.Connector;

 

import org.apache.log4j.Logger;

import org.apache.log4j.Level;

 

// Declare a logger class for us to isolate these messages during aggregation.

// Force the log level to DEBUG for initial testing. 

Logger log = Logger.getLogger("sailpoint.services.DemonstrateSingleAccountAggregation");

log.setLevel(Level.DEBUG); // TODO: Turn this off or remove this line when checking in.

 

// Initialize the error message to nothing.

String errorMessage = "";

 

// We need some values defined to know which account we want to aggregate.

String applicationName = "SampleDB";

String accountName = "clyde.orangous";

 

// We have already validated all of the arguments.  No just load the objects.

Application appObject = context.getObjectByName(Application.class, applicationName);

String appConnName = appObject.getConnector();

log.debug("Application " + applicationName + " uses connector " + appConnName);

 

Connector appConnector = sailpoint.connector.ConnectorFactory.getConnector(appObject, null);

if (null == appConnector) {

   errorMessage = "Failed to construct an instance of connector [" + appConnName + "]";

   return errorMessage;

}

 

log.debug("Connector instantiated, calling getObject() to read account details...");

 

ResourceObject rObj = null;

try {

  

   rObj = (ResourceObject) appConnector.getObject("account", accountName, null);

  

} catch (sailpoint.connector.ObjectNotFoundException onfe) {

   errorMessage = "Connector could not find account: [" + accountName + "]";

   errorMessage += " in application  [" + applicationName + "]";

   log.error(errorMessage);

   log.error(onfe);  

   return errorMessage;

}

 

if (null == rObj) {

   errorMessage = "ERROR: Could not get ResourceObject for account: " + accountName;

   log.eror(errorMessage);

   return errorMessage;

}

 

log.debug("Got raw resourceObject: " + rObj.toXml());

 

// Now we have a raw ResourceObject.  The Application in IdentityIQ may have a

// Customization rule defined to transform the ResourceObject.  We need to

// honor that configuration, so if the Applicaiton has a Rule then we run it.

Rule customizationRule = appObject.getCustomizationRule();

if (null != customizationRule) {

 

   log.debug("Customization rule found for applicaiton " + applicationName);  

  

   try {

  

      // Pass the mandatory arguments to the Customization rule for the app.

      HashMap ruleArgs = new HashMap();

      ruleArgs.put("context",     context);

      ruleArgs.put("log",         log);

      ruleArgs.put("object",      rObj);

      ruleArgs.put("application", appObject);

      ruleArgs.put("connector",   appConnector);

      ruleArgs.put("state",       new HashMap());

  

      // Call the customization rule just like a normal aggregation would.

      ResourceObject newRObj = context.runRule(customizationRule, ruleArgs, null);

     

      // Make sure we got a valid resourceObject back from the rule. 

      if (null != newRObj) {

         rObj = newRObj;

         log.debug("Got post-customization resourceObject: " + rObj.toXml());

      }   

     

   } catch (Exception ex) {

  

      // Swallow any customization rule errors, the show must go on!

      log.error("Error while running Customization rule for " + applicationName);

        

   } 

 

}

 

// Next we perform a miniature "Aggregation" using IIQ's built in Aggregator.

// Create an arguments map for the aggregation task.

// To change this (if you need to), the map contains aggregation options and is the same as the

// arguments to the acocunt aggregation tasks.  Some suggestied defaults are:

Attributes argMap = new Attributes();

argMap.put("promoteAttributes",       "true");

argMap.put("correlateEntitlements",   "true");

argMap.put("noOptimizeReaggregation", "true");  // Note: Set to false to disable re-correlation.

 

// Consturct an aggregator instance.

Aggregator agg = new Aggregator(context, argMap);

if (null == agg) {

   errorMessage = "Null Aggregator returned from constructor.  Unable to Aggregate!";

   log.eror(errorMessage);

   return errorMessage;

}

 

// Invoke the aggregation task by calling the aggregate() method.

// Note: the aggregate() call may take serveral seconds to complete.

log.debug("Calling aggregate() method... ");

TaskResult taskResult = agg.aggregate(appObject, rObj);

log.debug("aggregation complete.");

 

if (null == taskResult) {

   errorMessage = "ERROR: Null taskResult returned from aggregate() call.";

   log.eror(errorMessage);

   return errorMessage;

}

 

// Show the task result details for engineers curious about the results.

// These ususally look like the following:

//    <?xml version='1.0' encoding='UTF-8'?>

//    <!DOCTYPE TaskResult PUBLIC "sailpoint.dtd" "sailpoint.dtd">

//    <TaskResult>

//      <Attributes>

//        <Map>

//              <entry key="applications" value="1"/>

//              <entry key="exceptionChanges" value="1"/>

//              <entry key="extendedAttributesRefreshed" value="1"/>

//              <entry key="identityEntitlementsCreated" value="1"/>

//              <entry key="identityEntitlementsIndirectLinkUpdates" value="1"/>

//              <entry key="identityEntitlementsRoleAssignmentsUpdates" value="4"/>

//              <entry key="identityEntitlementsRoleDetectionsUpdates" value="1"/>

//              <entry key="identityEntitlementsUpdated" value="1"/>

//              <entry key="total" value="1"/>

//              <entry key="updated" value="1"/>

//        </Map>

//      </Attributes>

//    </TaskResult>

// Where the "udpated" indiciates the number of account links updated.

 

log.debug("TaskResult details: \n" + taskResult.toXml());

 

return ("Success");

 

Lines 1 through 20 define the includes and logging.

 

Line 21 should be removed when using this code in production; it sets logging levels for demonstration purposes.

 

Lines 26 through 28 specify the Application Name and Account Name for the account to aggregate.

 

Lines 30 through 41 instantiate the Application and its Connector in local memory.

 

Lines 43 through 62 read back the "ResourceObject" from the Connector.  The ResourceObject represents the account before it has been correlated and "Link"-ed to an Identity object.

 

Lines 64 through 99 execute the Application's Customization Rule on the ResourceObject returned from the Connector.  This allows single-account aggregations to have the same customizations applied as full aggregations run from Aggregation tasks.

 

Lines 101 through 128 construct an instance of the Aggregator class to aggregate the single account.  They return a TaskResult reference with statistics about the aggregation.

 

Lines 130 through 152 log the details of the Aggregation's TaskResult to the log file.

 

Execution of the API approach

When imported and executed from "iiq console" the code above provides the following output:

 

> import "/Users/adam.hampton/Documents/workspace/ssb-keppler-baremetal/config/Rule/Rule-Demonstrate-Single-Account-Aggregation.xml

Rule:Demomstrate Single Account Aggregation

 

> rule "Demomstrate Single Account Aggregation"                                                                                    

2015-12-09 10:39:37,845 DEBUG main sailpoint.services.DemonstrateSingleAccountAggregation:? - Application SampleDB uses connector sailpoint.connector.JDBCConnector

2015-12-09 10:39:37,857 DEBUG main sailpoint.services.DemonstrateSingleAccountAggregation:? - Connector instantiated, calling getObject() to read account details...

2015-12-09 10:39:37,858 DEBUG main sailpoint.connector.JDBCConnector:1048 - SQL statement[select * from users where login = 'clyde.orangous'].

2015-12-09 10:39:37,858 DEBUG main sailpoint.connector.JDBCConnector:1412 - Returned from execute [true].

2015-12-09 10:39:37,860 DEBUG main sailpoint.connector.JDBCConnector:1627 - Building attribute [login]

2015-12-09 10:39:37,860 DEBUG main sailpoint.connector.JDBCConnector:1627 - Building attribute [description]

2015-12-09 10:39:37,860 DEBUG main sailpoint.connector.JDBCConnector:1627 - Building attribute [first]

2015-12-09 10:39:37,860 DEBUG main sailpoint.connector.JDBCConnector:1627 - Building attribute [last]

2015-12-09 10:39:37,860 DEBUG main sailpoint.connector.JDBCConnector:1627 - Building attribute [role]

2015-12-09 10:39:37,860 DEBUG main sailpoint.connector.JDBCConnector:1627 - Building attribute [status]

2015-12-09 10:39:37,860 DEBUG main sailpoint.connector.JDBCConnector:1627 - Building attribute [locked]

2015-12-09 10:39:37,861 DEBUG main sailpoint.connector.JDBCConnector:1627 - Building attribute [email]

2015-12-09 10:39:37,861 DEBUG main sailpoint.connector.JDBCConnector:1627 - Building attribute [roleFlag]

2015-12-09 10:39:37,861 DEBUG main sailpoint.connector.JDBCConnector:1627 - Building attribute [password]

2015-12-09 10:39:37,861 DEBUG main sailpoint.connector.JDBCConnector:1627 - Building attribute [postalcode]

2015-12-09 10:39:37,861 DEBUG main sailpoint.connector.JDBCConnector:516 - SQL statement for Direct Permission is null

2015-12-09 10:39:37,863 DEBUG main sailpoint.services.bshdemo.customizationRule:? - account [clyde.orangous] has status [A], setting disabled false.

2015-12-09 10:39:37,864 DEBUG main sailpoint.services.bshdemo.customizationRule:? - account [clyde.orangous] has locked [N], setting locked false.

2015-12-09 10:39:37,864 DEBUG main sailpoint.services.bshdemo.customizationRule:? - Performing one-time load of 'postalCodeLookupMap'...

2015-12-09 10:39:37,865 DEBUG main sailpoint.services.bshdemo.customizationRule:? -  loaded mapping of zipcode:10007 to state:NY

2015-12-09 10:39:37,866 DEBUG main sailpoint.services.bshdemo.customizationRule:? -  loaded mapping of zipcode:77077 to state:TX

2015-12-09 10:39:37,866 DEBUG main sailpoint.services.bshdemo.customizationRule:? -  loaded mapping of zipcode:78747 to state:TX

2015-12-09 10:39:37,866 DEBUG main sailpoint.services.bshdemo.customizationRule:? -  loaded mapping of zipcode:78748 to state:TX

2015-12-09 10:39:37,866 DEBUG main sailpoint.services.bshdemo.customizationRule:? -  loaded mapping of zipcode:78749 to state:TX

2015-12-09 10:39:37,869 DEBUG main sailpoint.services.bshdemo.customizationRule:? -  loaded mapping of zipcode:81003 to state:CO

2015-12-09 10:39:37,869 DEBUG main sailpoint.services.bshdemo.customizationRule:? -  loaded mapping of zipcode:90405 to state:CA

2015-12-09 10:39:37,870 DEBUG main sailpoint.services.bshdemo.customizationRule:? - No 'postalcode' field/property found on account:clyde.orangous

2015-12-09 10:39:37,871 DEBUG main sailpoint.services.DemonstrateSingleAccountAggregation:? - Got raw resourceObject: <?xml version='1.0' encoding='UTF-8'?>

<!DOCTYPE ResourceObject PUBLIC "sailpoint.dtd" "sailpoint.dtd">

<ResourceObject displayName="clyde.orangous" identity="clyde.orangous" objectType="account">

  <Attributes>

    <Map>

      <entry key="IIQDisabled">

        <value>

          <Boolean></Boolean>

        </value>

      </entry>

      <entry key="IIQLocked">

        <value>

          <Boolean></Boolean>

        </value>

      </entry>

      <entry key="email" value="clyde.orangous@acme.com"/>

      <entry key="first" value="ornage"/>

      <entry key="last" value="Clyde-primus"/>

      <entry key="locked" value="N"/>

      <entry key="login" value="clyde.orangous"/>

      <entry key="role">

        <value>

          <List>

            <String>User</String>

          </List>

        </value>

      </entry>

      <entry key="status" value="A"/>

    </Map>

  </Attributes>

</ResourceObject>

 

2015-12-09 10:39:37,871 DEBUG main sailpoint.services.DemonstrateSingleAccountAggregation:? - Customization rule found for applicaiton SampleDB

2015-12-09 10:39:37,873 DEBUG main sailpoint.services.bshdemo.customizationRule:? - account [clyde.orangous] has status [A], setting disabled false.

2015-12-09 10:39:37,874 DEBUG main sailpoint.services.bshdemo.customizationRule:? - account [clyde.orangous] has locked [N], setting locked false.

2015-12-09 10:39:37,874 DEBUG main sailpoint.services.bshdemo.customizationRule:? - Performing one-time load of 'postalCodeLookupMap'...

2015-12-09 10:39:37,875 DEBUG main sailpoint.services.bshdemo.customizationRule:? -  loaded mapping of zipcode:10007 to state:NY

2015-12-09 10:39:37,875 DEBUG main sailpoint.services.bshdemo.customizationRule:? -  loaded mapping of zipcode:77077 to state:TX

2015-12-09 10:39:37,875 DEBUG main sailpoint.services.bshdemo.customizationRule:? -  loaded mapping of zipcode:78747 to state:TX

2015-12-09 10:39:37,876 DEBUG main sailpoint.services.bshdemo.customizationRule:? -  loaded mapping of zipcode:78748 to state:TX

2015-12-09 10:39:37,876 DEBUG main sailpoint.services.bshdemo.customizationRule:? -  loaded mapping of zipcode:78749 to state:TX

2015-12-09 10:39:37,876 DEBUG main sailpoint.services.bshdemo.customizationRule:? -  loaded mapping of zipcode:81003 to state:CO

2015-12-09 10:39:37,876 DEBUG main sailpoint.services.bshdemo.customizationRule:? -  loaded mapping of zipcode:90405 to state:CA

2015-12-09 10:39:37,877 DEBUG main sailpoint.services.bshdemo.customizationRule:? - No 'postalcode' field/property found on account:clyde.orangous

2015-12-09 10:39:37,878 DEBUG main sailpoint.services.DemonstrateSingleAccountAggregation:? - Got post-customization resourceObject: <?xml version='1.0' encoding='UTF-8'?>

<!DOCTYPE ResourceObject PUBLIC "sailpoint.dtd" "sailpoint.dtd">

<ResourceObject displayName="clyde.orangous" identity="clyde.orangous" objectType="account">

  <Attributes>

    <Map>

      <entry key="IIQDisabled">

        <value>

          <Boolean></Boolean>

        </value>

      </entry>

      <entry key="IIQLocked">

        <value>

          <Boolean></Boolean>

        </value>

      </entry>

      <entry key="email" value="clyde.orangous@acme.com"/>

      <entry key="first" value="ornage"/>

      <entry key="last" value="Clyde-primus"/>

      <entry key="locked" value="N"/>

      <entry key="login" value="clyde.orangous"/>

      <entry key="role">

        <value>

          <List>

            <String>User</String>

          </List>

        </value>

      </entry>

      <entry key="status" value="A"/>

    </Map>

  </Attributes>

</ResourceObject>

 

2015-12-09 10:39:37,878 DEBUG main sailpoint.services.DemonstrateSingleAccountAggregation:? - Calling aggregate() method...

2015-12-09 10:39:39,010 DEBUG main sailpoint.services.DemonstrateSingleAccountAggregation:? - aggregation complete.

2015-12-09 10:39:39,011 DEBUG main sailpoint.services.DemonstrateSingleAccountAggregation:? - TaskResult details:

<?xml version='1.0' encoding='UTF-8'?>

<!DOCTYPE TaskResult PUBLIC "sailpoint.dtd" "sailpoint.dtd">

<TaskResult>

  <Attributes>

    <Map>

      <entry key="applications" value="SampleDB"/>

      <entry key="identityEntitlementsIndirectLinkUpdates" value="1"/>

      <entry key="identityEntitlementsIndirectUpdates" value="1"/>

      <entry key="identityEntitlementsRoleAssignmentsUpdates" value="1"/>

      <entry key="identityEntitlementsRoleDetectionsUpdates" value="1"/>

      <entry key="identityEntitlementsUpdated" value="1"/>

      <entry key="internalUpdates" value="1"/>

      <entry key="total" value="1"/>

      <entry key="updated" value="1"/>

    </Map>

  </Attributes>

</TaskResult>

 

Success

 

Reference artifacts

Two examples are attached to this document: A Workflow, and a Rule that implements the API-based approach for reference.  These can be used as copy/paste ready examples for use in your projects.

 

Forum discussions related to this topic

The following list includes older forum discussions related to this topic that may have partially correct or outdated information related to this topic.

 

Labels (2)
Tags (1)
Attachments
Rule-Demonstrate-Single-Account-Aggregation.xml.zip
Workflow-New-Account-Processor.xml.zip
Comments
‎May 02, 2017 02:19 AM
‎May 02, 2017 02:19 AM

adam.hampton

Please see complete stack track

2017-05-01 23:16:39,277 ERROR https-jsse-nio-443-exec-10 org.apache.bsf.BSFManager:451 - Exception:

java.security.PrivilegedActionException: org.apache.bsf.BSFException: The application script threw an exception: org.hibernate.LazyInitializationException: could not initialize proxy - no Session BSF info: Test Certication Rule at line: 0 column: columnNo

  at java.security.AccessController.doPrivileged(Native Method)

  at org.apache.bsf.BSFManager.eval(BSFManager.java:442)

  at sailpoint.server.BSFRuleRunner.eval(BSFRuleRunner.java:224)

  at sailpoint.server.BSFRuleRunner.runRule(BSFRuleRunner.java:194)

  at sailpoint.server.InternalContext.runRule(InternalContext.java:1168)

  at sailpoint.server.InternalContext.runRule(InternalContext.java:1140)

  at sailpoint.rest.DebugResource.updateObject(DebugResource.java:462)

  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

  at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)

  at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)

  at java.lang.reflect.Method.invoke(Unknown Source)

  at com.sun.jersey.spi.container.JavaMethodInvokerFactory$1.invoke(JavaMethodInvokerFactory.java:60)

  at com.sun.jersey.server.impl.model.method.dispatch.AbstractResourceMethodDispatchProvider$TypeOutInvoker._dispatch(AbstractResourceMethodDispatchProvider.java:185)

  at com.sun.jersey.server.impl.model.method.dispatch.ResourceJavaMethodDispatcher.dispatch(ResourceJavaMethodDispatcher.java:75)

  at com.sun.jersey.server.impl.uri.rules.HttpMethodRule.accept(HttpMethodRule.java:302)

  at com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)

  at com.sun.jersey.server.impl.uri.rules.ResourceClassRule.accept(ResourceClassRule.java:108)

  at com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)

  at com.sun.jersey.server.impl.uri.rules.RootResourceClassesRule.accept(RootResourceClassesRule.java:84)

  at com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1511)

  at com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1442)

  at com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1391)

  at com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1381)

  at com.sun.jersey.spi.container.servlet.WebComponent.service(WebComponent.java:416)

  at com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:538)

  at com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:716)

  at javax.servlet.http.HttpServlet.service(HttpServlet.java:742)

  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:230)

  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)

  at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)

  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)

  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)

  at sailpoint.rest.RestCsrfValidationFilter.doFilter(RestCsrfValidationFilter.java:68)

  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)

  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)

  at sailpoint.rest.AuthenticationFilter.doFilter(AuthenticationFilter.java:100)

  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)

  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)

  at sailpoint.web.SailPointContextRequestFilter.doFilter(SailPointContextRequestFilter.java:52)

  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)

  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)

  at sailpoint.web.ResponseHeaderFilter.doFilter(ResponseHeaderFilter.java:63)

  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)

  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)

  at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:75)

  at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)

  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)

  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)

  at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198)

  at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)

  at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:478)

  at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)

  at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:80)

  at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:624)

  at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)

  at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:341)

  at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:799)

  at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)

  at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:861)

  at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1455)

  at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)

  at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)

  at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)

  at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)

  at java.lang.Thread.run(Unknown Source)

Caused by: org.apache.bsf.BSFException: The application script threw an exception: org.hibernate.LazyInitializationException: could not initialize proxy - no Session BSF info: Test Certication Rule at line: 0 column: columnNo

  at bsh.util.BeanShellBSFEngine.eval(Unknown Source)

  at org.apache.bsf.BSFManager$5.run(BSFManager.java:445)

  ... 65 more

‎May 03, 2017 06:48 PM
‎May 03, 2017 06:48 PM

adam.hampton

Any update?

adam_hampton
‎May 08, 2017 05:22 PM
‎May 08, 2017 05:22 PM

This error usually happens when the workflow engine tries to serialize a reference to a sailpoint.object.* instance.  Is your workflow storing references to anything other than Strings or integers in workflow variables?  This stack trace makes me think the issue is somewhere above where the WF code to re-aggregate the account is being called.  Please review the explanation about 75% of the way through this KB article and make sure your workflow code is compliant:

     BSDG 16 - Workflow Step Bean Shell Best Practices

Cheers,

--Adam

‎Aug 21, 2017 06:45 PM
‎Aug 21, 2017 06:45 PM

I have recently downloaded the examples and implemented this in our Dev environment.  Updating the desired Application Account Data of the Identity works, but the function just falls off and does not return after it runs.  Thus far nothing has been found in the Sailpoint log.  Any thoughts on correcting this, has anyone experienced this before?  We are on IIQ version 7.1.

Thank You,

Jake

scott_petry
‎Aug 22, 2017 10:07 AM
‎Aug 22, 2017 10:07 AM

Jake,

Can you explain how you have the single account aggregation implemented?

I find that it helps to add some logging statements in my code to track exactly where things break down.

Scott

marko
‎Jan 04, 2018 09:11 PM
‎Jan 04, 2018 09:11 PM

When I try to import the rule, I am getting the following error; what could be the issue?

2018-01-05 02:00:17,910 ERROR main sailpoint.tools.Console:410 - Line: 1 Column:1: Content is not allowed in prolog.

java.lang.RuntimeException: Line: 1 Column:1: Content is not allowed in prolog.

        at sailpoint.tools.XmlParser.parse(XmlParser.java:361)

        at sailpoint.tools.XmlUtil.parse(XmlUtil.java:89)

        at sailpoint.server.Importer.importXml(Importer.java:357)

        at sailpoint.server.Importer.importXml(Importer.java:313)

        at sailpoint.server.SailPointConsole.cmdImport(SailPointConsole.java:1831)

        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)

        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

        at java.lang.reflect.Method.invoke(Method.java:498)

        at sailpoint.tools.Console.callMethod(Console.java:569)

        at sailpoint.tools.Console.executeCommand(Console.java:431)

        at sailpoint.tools.Console.doCommand(Console.java:403)

        at sailpoint.tools.Console.interactiveConsole(Console.java:271)

        at sailpoint.tools.Console.run(Console.java:85)

        at sailpoint.server.SailPointConsole.run(SailPointConsole.java:570)

        at sailpoint.server.SailPointConsole.main(SailPointConsole.java:505)

        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)

        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

        at java.lang.reflect.Method.invoke(Method.java:498)

        at sailpoint.launch.Launcher.main(Launcher.java:227)

vikas_rajole
‎Jan 09, 2018 10:41 AM
‎Jan 09, 2018 10:41 AM

Hi Marko,

Apologies for the delay in replying.

Notice the red dot after the commas?

You won’t see those in a normal editor like notepad. You will see those if you open the rule from debug page. While you are in the debug page, delete those dots and save the rule.

Let me know if that fixed the issue.

Kind regards,

Vikas

sreejitcts
‎Jun 05, 2018 12:57 PM
‎Jun 05, 2018 12:57 PM

Hi adam.hampton

We recently upgraded from IIQ 7.1 to IIQ 7.2 P2. We are running the single account aggregation task as mentioned above following the API based approach. We are receiving a sailpoint.connector.ConnectorException: NullPointerException. Please refer this post for more details  Single Account Aggregation fails in IIQ 7.2 P2

Regards,

Sreejit

nambi
‎Jul 12, 2018 10:37 AM
‎Jul 12, 2018 10:37 AM

it was helpful, it fixed my issue

matoch
‎Aug 08, 2018 11:28 AM
‎Aug 08, 2018 11:28 AM

We are using this method to do aggregations in testing and it seems to work well. We want to add it to a AfterProvisioining rule on some applications so we can see everything that was written during the provisioning task. When we use it in the AfterProvisioning rule it's creating a duplicate link for the account. If we run it separately from the provisioning task it simply updates the existing link with the new data.

Any ideas as to what might be happening?

Version history
Revision #:
5 of 5
Last update:
‎Jun 23, 2023 01:54 PM
Updated by:
Community Administrator
 
View Article History