Custom Connector to SCIM connector in API gateway does not remove one member of Provisioning Role list or group.
search cancel

Custom Connector to SCIM connector in API gateway does not remove one member of Provisioning Role list or group.

book

Article ID: 246441

calendar_today

Updated On:

Products

CA Identity Suite

Issue/Introduction

In SCIM connector pointing to Api Gateway created via ConnectorXpress.
Account Template pointing to two different Provisioning Roles.

When the account template is changed when removing one Role from Account Template this yet keeps in place.
But when removing everything is working fine.

Environment

Release : 14.4

Component : IDGMR

Cause

1.Looking in the Provisioning Server log in a previous operation can see that eTDYN-str-multi-c-01(Rol): when receiving operation for multiple vales to remove is not doing the operation:

28506 20220628:133212:TID=ffcb40:Modify    :S065:C063:S: Connector Server Modify (eTDYNAccountName=accountname) Requested by User etaadmin -
528507 20220628:133212:TID=ffcb40:Modify    :S065:C063:S:+TenantNotSet
528508 20220628:133212:TID=ffcb40:Modify    :S065:C063:P:     URL: ldaps://<ip>:20411
528509 20220628:133212:TID=ffcb40:Modify    :S065:C063:P:     Class Name: User Account
528510 20220628:133212:TID=ffcb40:Modify    :S065:C063:P:     dn: eTDYNAccountName=accountname,eTDYNContainer001Name=Accounts,eTDYNDirectoryNa
528511 20220628:133212:TID=ffcb40:Modify    :S065:C063:P:+    me=core-policy,eTNamespaceName=CORE TEST,dc=im
528512 20220628:133212:TID=ffcb40:Modify    :S065:C063:P:     eTDYN-str-multi-c-01(Rol):  <no values> [REPLACE]
528513 20220628:133214:TID=ffcb40:Modify    :S065:C063:F: SUCCESS: Connector Server Modify (eTDYNAccountName=accountname)

2. Same problem reproduced using the following etautil command:

etautil -u USER -p PWD -DYN update 'eTDYNContainer001Name=Accounts,eTDYNDirectoryName=corp-biling,eTNamespaceName=TEST' eTDYNAccount eTDYNAccountName='accountname' to eTDYN-str-multi-c-01=''

This sends a request to replace the eTDYN-str-multi-c-01 of the account with no values which should clear out all the values.

3. Please, need to check API Gateway policy to see what it does with this type of request.

Observed  that if the modify is to DELETE specific value it works but with a REPLACE to replace all values with empty is not doing any change and just reporting success.

4. One example to DELETE specific value and is working fine:

etautil -u USER -p PWD -DYN update 'eTDYNContainer001Name=Accounts,eTDYNDirectoryName=corp-biling,eTNamespaceName=TEST' eTDYNAccount eTDYNAccountName='accountname' to -eTDYN-str-multi-c-01='eTDYNObject001Name=XXX,eTDYNContainer002Name=Roless'

Resolution

Please work with the API Gateway Team in the Api Gateway Policy how is behaving when trying try modify and compare with when doing with one delete and see with them if need adjusts in the Api Gateway Policy.