search cancel

SCIM connector: unable to modify group membership

book

Article ID: 213991

calendar_today

Updated On:

Products

CA Identity Manager

Issue/Introduction

the customer has implemented a SCIM connector with the API GW plugin, to provision the GCP (Google Cloud Platform) endpoint type:
https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-management-and-governance-connectors/1-0/connectors/other-connectors/scim-connector/create-a-custom-scim-endpoint-type-using-layer7-plugin.html
The new endpoint type was called GCPL7.
When a group is modified and an account is added as its member (attribute members in the Group class of the connector), the JCS returns a NullPointerException:

2021-04-16 17:14:16,953 101392 [ApacheDS Worker-thread-19] GCPL7_GCP_DEV (AssocAttributeOpProcessorProxy.java:341) DEBUG  - LOOKUP:No attributes suitable for associative processor(s) found
2021-04-16 17:14:16,953 101392 [ApacheDS Worker-thread-19] GCPL7_GCP_DEV (LdapExceptionUtils.java:165) ERROR  - internal error in MODIFY(): java.lang.NullPointerException
java.lang.NullPointerException
 at com.ca.jcs.converter.connector.DNConverter.convertConnectorDNToKey(DNConverter.java:234)[131:com.ca.jcs.core:1.1.0.20200719]
 at com.ca.jcs.converter.connector.DNConverter.convertToConnector(DNConverter.java:187)[131:com.ca.jcs.core:1.1.0.20200719]

The same operation, when performed starting from the account (groupMembership attribute in the User Account class of the connector) is performed successfully.

We are using IMPM Provisioning Manager for manipulating the group membership

Environment

Release : 14.x

Component : IdentityMinder(Identity Manager)

Resolution

Group management is not supported (either from UI or IMPM) - the official documentation is also backing it up by leaning towards managing identities (accounts) and instructing to use IM UI for such operations.

This is, therefore, as per design.