AnsweredAssumed Answered

Account creation verification does not occur when account template is used!

Question asked by Sandeep Sharma on Feb 11, 2017
Latest reply on Feb 13, 2017 by Boris Lekumovich

Like • Show 0 Likes0
Comment • 5

Hi,

I am making use of an account template to create account before application role(s) can be added i.e. Entitlements Require Account = Yes and an account template is associated with the application.

The target application, while provisioning the account, generates a unique internal ID for each account. This internal ID is required to add/ remove application role(s).

The account collector collects this internal ID as I have created a custom attribute for this.

However, there is an issue. When the create account AFX triggers, it gets completed without any verification (i.e. IMG does not verify account creation via collection i.e. there is no Pending verification for create account. This is because, a placeholder account (local user mapping) is automatically created by IMG in the backend! Refer to How to get rid of Local User Account? discussion for this behaviour.

As such, since account collection has not occurred yet, the add application role(s) AFX calls fail as they expect the internal ID for the account to be provided!

How can this requirement be addressed?

Also, why does IMG NOT wait for account collection to actually verify that the account has been created successfully, just like other AFX actions? The design seems to be weird.

Thanks

Sandeep

Boris Lekumovich

Feb 13, 2017 7:57 AM

Correct Answer

Consider adding a delay node in your workflow.

If the action is Create Account then add a delay node for x hours. If after x hours there was no collection and internal id was not collected, then wait additional x hours. It's sort of a loop so make sure it's not an infinite one.

If there was a collection and internal id is available, then proceed to app-roles assignment.

See the reply in context

No one else had this question

Outcomes

Boris Lekumovich

Feb 13, 2017 12:29 AM

As far as I know, the purpose of the place holder account is to create a dependable change item.

Meaning that until account is created, any actions on the account (add group or add app-role) will be in a pending (waiting) state.

When AFX provisions a new account to the end point it has some sort of a feedback. If it fails, you will get a manual fulfillment but if it succeeds, all the dependent items will continue as normal.

The account will be in state of local user mapping until collected.

It allows to request additional access even though we have not collected the account.

What you describe should work.

I suggest you post additional information on the error you see and relevant configuration of your AFX connector.

And also the version you are using.

Actions

Sandeep Sharma @ Boris Lekumovich on Feb 13, 2017 12:53 AM

Thanks for the prompt response Boris.

Meaning that until account is created, any actions on the account (add group or add app-role) will be in a pending (waiting) state.

The workflow does NOT wait for account collection to proceed! It assumes that the account has been actually provisioned in the target application.

What happens is that as soon as the AFX call to create account completes without error, the create activity is immediately marked as completed. The activities to add application roles trigger next. As the account has not been collected yet, the account attribute which is required for application role provisioning i.e. internal application ID does not get populated. This results in AFX calls to add application role to fail!

Kindly refer to the attached PDF with details including screen shots which illustrate this.

This is the challenge I am facing. I would appreciate if you could assist.

Attachments

Create Account and Add Roles Behaviour.pdf480.9 KB

Actions

Boris Lekumovich

@ Sandeep Sharma on Feb 13, 2017 7:28 AM

That's correct. The workflow does not wait for account to be collected.

If the response from the endpoint is "success" then the system assumes (bases on the response) that everything is OK and it will continue with app-roles assignment.

So in your scenario you don't know the account name? It's something that determined by the application?

If that's the case, then you should use the output parameter.

The output parameter can overwrite the initial value that was set by the account template for account name.

As in your scenario you are writing to csv files, I assume you are not getting an immediate response with the new account name but you need to wait for processing and then collect...

Actions

Sandeep Sharma @ Boris Lekumovich on Feb 13, 2017 7:43 AM

Hi Boris,

I do not need to know the account name. Instead, I need to collect the internal account ID (generated by business source at the time of account creation)! I am collecting it as a custom attribute of account itself!

Yes, as this is CSV based provisioning, I would not really get any response from the business source. The only way to get to know the value of this internal account ID is via collection from CSV's...

Actions

Boris Lekumovich

@ Sandeep Sharma on Feb 13, 2017 7:57 AM

Consider adding a delay node in your workflow.

If there was a collection and internal id is available, then proceed to app-roles assignment.

1 person found this helpful

Actions

5 Replies

Boris Lekumovich Feb 13, 2017 12:29 AM
Mark Correct
Correct Answer
As far as I know, the purpose of the place holder account is to create a dependable change item.
Meaning that until account is created, any actions on the account (add group or add app-role) will be in a pending (waiting) state.
When AFX provisions a new account to the end point it has some sort of a feedback. If it fails, you will get a manual fulfillment but if it succeeds, all the dependent items will continue as normal.
The account will be in state of local user mapping until collected.
It allows to request additional access even though we have not collected the account.

What you describe should work.
I suggest you post additional information on the error you see and relevant configuration of your AFX connector.
And also the version you are using.
Like • Show 0 Likes0
Actions
- Sandeep Sharma @ Boris Lekumovich on Feb 13, 2017 12:53 AM
  Mark Correct
  Correct Answer
  Thanks for the prompt response Boris.
  "
  Meaning that until account is created, any actions on the account (add group or add app-role) will be in a pending (waiting) state.
  "
  The workflow does NOT wait for account collection to proceed! It assumes that the account has been actually provisioned in the target application.
  
  What happens is that as soon as the AFX call to create account completes without error, the create activity is immediately marked as completed. The activities to add application roles trigger next. As the account has not been collected yet, the account attribute which is required for application role provisioning i.e. internal application ID does not get populated. This results in AFX calls to add application role to fail!
  
  Kindly refer to the attached PDF with details including screen shots which illustrate this.
  
  This is the challenge I am facing. I would appreciate if you could assist.
  Attachments
  - Create Account and Add Roles Behaviour.pdf480.9 KB
  Like • Show 0 Likes0
  Actions
  - Boris Lekumovich @ Sandeep Sharma on Feb 13, 2017 7:28 AM
    Mark Correct
    Correct Answer
    That's correct. The workflow does not wait for account to be collected.
    If the response from the endpoint is "success" then the system assumes (bases on the response) that everything is OK and it will continue with app-roles assignment.
    
    So in your scenario you don't know the account name? It's something that determined by the application?
    If that's the case, then you should use the output parameter.
    The output parameter can overwrite the initial value that was set by the account template for account name.
    As in your scenario you are writing to csv files, I assume you are not getting an immediate response with the new account name but you need to wait for processing and then collect...
    Like • Show 0 Likes0
    Actions
    - Sandeep Sharma @ Boris Lekumovich on Feb 13, 2017 7:43 AM
      Mark Correct
      Correct Answer
      Hi Boris,
      
      I do not need to know the account name. Instead, I need to collect the internal account ID (generated by business source at the time of account creation)! I am collecting it as a custom attribute of account itself!
      
      Yes, as this is CSV based provisioning, I would not really get any response from the business source. The only way to get to know the value of this internal account ID is via collection from CSV's...
      Like • Show 0 Likes0
      Actions
      - Boris Lekumovich @ Sandeep Sharma on Feb 13, 2017 7:57 AM
        Unmark Correct
        Correct Answer
        Consider adding a delay node in your workflow.
        If the action is Create Account then add a delay node for x hours. If after x hours there was no collection and internal id was not collected, then wait additional x hours. It's sort of a loop so make sure it's not an infinite one.
        If there was a collection and internal id is available, then proceed to app-roles assignment.
        1 person found this helpful
        Like • Show 0 Likes0
        Actions

Account creation verification does not occur when account template is used!

Outcomes

Attachments

Related Content

Recommended Content