Symantec IGA

Hello,

I'm facing a problem when I try to execute a policyXpress before an event.

Here is my use case :

I have two custom connectors linked to 2 Account Templates (1 each) and 2 Provisioning Roles (1 each):
   o Jupiter --> Jupiter_GDA_Role (main role triggered manually)
   o GDA --> GDA_Role (secondary role triggered by policyXpress)

I have created a policy which starts before AssignProvisioningRoleEvent. I have configured the action rule to assign GDA_Role to the user when the name of the role I first give (Jupiter_GDA_Role) contains "_GDA_". When I assign Jupiter_GDA_Role to the user, the policy starts and the GDA_Role is also assigned but not always on the order we expect.

I would like to first assign Jupiter_GDA_Role which should start the policyXpress. This policyXpress should assign the GDA_Role first and THEN the Jupiter_GDA_Role (only on the success of the previous action if possible).

I also tested the solution with two PX (1 for each role): I used two PX triggered using EMPTY_JUPITER_GDA_ROLE (not linked to any connector):

   o If this role contains "_GDA_", we start PX1 to assign GDA_Role (priority=0 highest priority task)

   o If this role contains "JUPITER_", we start PX2 to assign JUPITER_Role (priority=1)

It seems we don't have control over the execution order of the two PX.

Do you know what could be the reason why it doesn’t work or do you have any other way to implement this ?

Regards,
Nassim

I think you might be best served by opening a support case so that logs/configuration can be reviewed further.

Support has asked for the this thread to be raised, as part of a Support case, as dealing with a specific onsite customization query.

Hi Nassim,

You can control the execution order of PXs but you can’t control execution of actual events that perform your actions. PXs performs actions in form of triggering events. Events are executed in asynchronous phase. Events that you see in "View Submitted Tasks" are asynchronous, i.e. events are executing regardless of waiting for prior events to finish. What you are looking for is a synchronous behavior.

You might have to try executing 2 PXs at different trigger points that are very away for e.g. PX1 on "After" on "ModifyUserEvent" and PX2 on "Task Completion". There is no guarantee that will always give you synchronous behavior.

If it doesnt work then you can try introducing a delay in PX if you are on new versions.

Another option is to have a loop in PX. PX1 will execute same way i.e. "After" on "ModifyUserEvent" and then have loop in PX2. PX2 will check if user has account linked for the endpoint Jupiter, then only assign 2nd provisioning role. If user doesnt have account linked for the endpoint Jupiter, then restart the PX. Please make sure this PX runs in loop for a finite number of times such as 10 times.Please let me know if you want to try this option, I can give you an example of PX. This method will give you more certainty of achieving synchronous behavior.

Last option is to use custom code to call JIAM API. JIAM API will definitely give you synchronous behavior. 

Thanks,

Praveen Jain

RinatM

#Sequenced Provisioning

#Loop in PX

#Synchronous PX

Hi Nassim,

I have uploaded one example of FOR looping in PX here.

Example - FOR looping in PX 

Thanks,

Praveen Jain

Hi Praveen,

Thank you for your answer.

I'm using 12.6.8 version.

The option with loop PX seems more efficient. But I already tried to check if user has an account linked to Endpoint using PX based on "AssignProvisioningRoleEvent" and the result was empty. I was able to get a user's account linked to EndPoint only when I used "ModifyUserEvent" and I don't have this event when I try to assign provisioning roles to a user. Do you know how to get the endpoint account name when we assign provisioning role event?

For the last option (JIAM API) do you have an example of how it works?

Regards

Nassim

Hi Nassim,

Do you have a "profile" tab in your admin task? ModifyUserEvent will get triggered if you have "profile" tab. here is how it looks like -

You have 2 options to trigger ModifyUserEvent explicitly. 

1. Modify a physical or logical attribute in "profile" screen manually or programmatically(PX or code).

2. Select this checkbox on "profile" tab. It will definitely trigger ModifyUserEvent even if no attribute has been changed. 

You can even hide this tab if you dont want user to see "profile" tab by selecting check-box "Hide tab"

Now you can run your PXs on ModifyUserEvent following approach that I shared in earlier note.

Please let me know if it doesnt work for you. I can share the JIAM API code in that case.

Hi Praveen,

I have enabled "Always generate event" option, I could start PXs depending on "ModifyUserEvent" but, I noticed that IM first gathers all the actions of the PXs related to a task, including actions of each iteration in "FOR" loop and executes them thereafter. I realized this by increasing the MaxCounter = 1000 (~ 1 minute of waiting) and I have 1 minute wait before the execution of the two PXs. Event when JUPITER_PX depend on GDA_PX, like in this example:

• PX_GDA: priority=0 execution=|Before|AssignProvisioningRoleEvent|
  • Action1: assign GDA role and trigger ModifyUserEvent
• PX_JUPITER: priority=99 exécution=|After|ModifyUserEvent|
  • Action1: initialisation compteur=0
  • Action2: if GDA_Account not null --> log endPX et assign JUPITER role
  • Action3: if counter<30 (MaxCounter) reruns PX_GDA else --> EndPX

Another point, I think both PXs should be executed in two different tasks. In JUPITER_PX I do not have access to the GDA account name even if I wait for infinite time. But when I run them separately, the "if GDA Account not null" condition is checked and the Jupiter role is assigned to the user.

You can find attached my PXs.

PX_GDA:

PX_JUPITER:

Regards,

Nassim