Provisioning Status

Hi,

I tried to provisioned user using CSV file and linked it to AD PowerShell Managed System.

However, the status of the user in FAILED_SAVE.

image1589×214 12.7 KB

Additionally, I tried to add attribute to CSV and defined it as well in transformation script. However, there is no value generated.

This is the attribute that I used and already available in OpenIAM.
Classification
Employee Type
Organization
Supervisor

image1519×273 13.7 KB

Scripts used.
// Adding New Attributes with Conditional Assignment
pUser.classification = StringUtils.isNotEmpty(columnMap.get(“CLASSIFICATION”)?.value) ? columnMap.get(“CLASSIFICATION”).value : “”
pUser.organization = StringUtils.isNotEmpty(columnMap.get(“ORGANIZATION”)?.value) ? columnMap.get(“ORGANIZATION”).value : “”
pUser.employeeType = StringUtils.isNotEmpty(columnMap.get(“EMPLOYEE_TYPE”)?.value) ? columnMap.get(“EMPLOYEE_TYPE”).value : “”
pUser.supervisor = StringUtils.isNotEmpty(columnMap.get(“SUPERVISOR”)?.value) ? columnMap.get(“SUPERVISOR”).value : “”

Hi @pamela.gabagat,

1st Issue – Provisioning to AD (Provisioning Status: FAIL_SAVE)

The error you’re encountering during provisioning, indicated by the “FAIL_SAVE” status, typically means that the provisioning action failed at the connector or script level.

To investigate this:

Please check the IDM logs—they will contain detailed error messages explaining why the provisioning failed.

Alternatively, you can go to the User Profile → User History and look for a log entry labeled “Connector Response”. This will show the exact error returned by the connector.

If you need help troubleshooting the issue, feel free to share a screenshot or the stack trace of the error message, and we’ll assist you further.

2nd Issue – Attribute Mapping

Regarding the attribute-related issue:

Could you clarify what you’re trying to achieve?

Have you defined the new attributes in the CSV file and are looking to map them through the transformation script so they get saved in OpenIAM?

If yes, we can help review or modify the transformation script accordingly.

Let us know the specific attributes and your intended outcome, and we’ll guide you through the adjustments.

Hi @pradeep.bhalla,

1st Issue – Provisioning to AD (Provisioning Status: FAIL_SAVE)
Below is the log from “Connector Response”. I also attached a screenshot from AD to show that the path attribute existed.

Exception at Program.RequestHandler at invoking PowerShell - ’ System.Management.Automation.RuntimeException: Cannot run user creation as calculated path attribute (‘OU=Switzerland,OU=Users,dc=dmfiam,dc=ch’) either does not exist or is not of container or OU type (or not a root DC location) —> System.Management.Automation.RuntimeException: Cannot run user creation as calculated path attribute (‘OU=Switzerland,OU=Users,dc=dmfiam,dc=ch’) either does not exist or is not of container or OU type (or not a root DC location) — End of inner exception stack trace — at System.Management.Automation.Runspaces.PipelineBase.Invoke(IEnumerable input) at System.Management.Automation.PowerShell.Worker.ConstructPipelineAndDoWork(Runspace rs, Boolean performSyncInvoke) at System.Management.Automation.PowerShell.Worker.CreateRunspaceIfNeededAndDoWork(Runspace rsToUse, Boolean isSync) at System.Management.Automation.PowerShell.CoreInvokeHelper[TInput,TOutput](PSDataCollection1 input, PSDataCollection1 output, PSInvocationSettings settings) at System.Management.Automation.PowerShell.CoreInvoke[TInput,TOutput](PSDataCollection1 input, PSDataCollection1 output, PSInvocationSettings settings) at System.Management.Automation.PowerShell.Invoke(IEnumerable input, PSInvocationSettings settings) at ConnectorRequestRunner.Workers.PowershellWorker.RunPowershellScript(String scriptPath, MessageInfo openIAMRequest) ’

image654×201 11.3 KB

2nd Issue – Attribute Mapping

Please see my answers in bold.

Have you defined the new attributes in the CSV file and are looking to map them through the transformation script so they get saved in OpenIAM? Yes

Let us know the specific attributes and your intended outcome, and we’ll guide you through the adjustments. DEPARTMENT, FUNCTION, EMPLOYEE_TYPE, SUPERVISOR and ORGANIZATION.

I attached here the transformation script that we are using.

Transformation Script.txt (5.7 KB)

In addition to the above issues, in our transformation script, we add a condition there to sanitize the email address to convert German and Spanish letters into ASCII friendly equivalent, but we got a VALIDATION ERROR instead.

Thank you in advance for your assistance and support.

Hi @pradeep.bhalla,

Do you also have any idea how can I trigger the workflow for Movers? I tried to change the job title of one of the test users and use Synchronization for the said changes. However, the workflow for job title changes doesn’t trigger.

Thank you in advance for your assistance.

For the 1st issue
Provisioning to AD (Provisioning Status: FAIL_SAVE)
The error occurred because the specified path for creating the user in Active Directory—

OU=Switzerland,OU=Users,DC=dmfiam,DC=ch—does not exist or is not a valid Organizational Unit (OU) path.

Please verify in your Active Directory whether this OU path exists and is correctly structured.

If the OU does not exist, it will need to be created, or the configuration should be updated to point to a valid OU.

For the transformation script
i have made some changes; kindly test those

Please note- for the conversion of letters to ASCII; i am still working on those and will be sharing an updated script

For the movers; can you please refer to below documentation
incase of any query; kindly let me know

Hi @pradeep.bhalla.

For the 1st Issue:
Provisioning to AD (Provisioning Status: FAIL_SAVE)
I tried again to create user, and the status now changes to PENDING_CREATE.

image1489×169 12.1 KB

OU path existed in AD.

image654×201 11.3 KB

For the transformation script
Where can I see the changes, you have made so I can test it?

Thank you.

CSVTranformation.txt (8.4 KB)
My bad
i forgot to attach it earlier
I have made some changes for email sanitization as well

For the pending create; please refer to below documentation

Hi @pradeep.bhalla ,
Thank you so much for your support.

I tested the Transformation Script you have shared and all is working except for Supervisor and Employee Type.

For Supervisor part, no Supervisor was assigned to user during provisioning. To share, the supervisor can be found under Superiors and Subordinates section.

image1799×370 17.8 KB

For Employee type it remains blank.

image1502×453 18.6 KB

Please note that we are using Version: 4.2.1.11.

For Supervisor; the current logic works as follows:

Retrieves the value from the SUPERVISOR column in the CSV row, which is expected to contain the login name of the supervisor (e.g., john.doe).
This login name is used to fetch the corresponding User object from OpenIAM.

Could you please confirm what value you are currently providing in the SUPERVISOR column?
It appears there may be a difference between the value being supplied from your side in the csv and the actual login of the supervisor in OpenIAM.

For Employee Type; it retrieves the value from the EMPLOYEE_TYPE column in the CSV row.

This value is expected to match the name of a metadata type that belongs to the USER_EMPLOYEE_TYPE grouping in OpenIAM.

Currently, the script assigns the User Object Type ID to the employeeId field, instead of employee type id

Please replace the current code in your script with the following:
// Assign metadata from EMPLOYEE_TYPE
pUser.setMdTypeId(getMetadataTypeByNameAndGrouping(columnMap.get(“EMPLOYEE_TYPE”)?.value, MetadataTypeGrouping.USER_EMPLOYEE_TYPE)?.getId())

This will correctly assign the metadata type to the user’s metadata field.

Kindly ensure that the metadata values you’re using in the CSV for EMPLOYEE_TYPE are already defined in OpenIAM under the USER_EMPLOYEE_TYPE grouping.

For more information on setting up metadata types, please refer to the documentation:

Hi @pradeep.bhalla ,
For SUPERVISOR, the current logic is now working. Thanks a lot!

For EMPLOYEE_TYPE, script has been updated as per above and the EMPLOYEE_TYPE are already defined in OpenIAM under the USER_EMPLOYEE_TYPE grouping. However, still getting a blank value when trying to provision user.

Please see below configurations:

CSV

OpenIAM METADATA (User_Employee_Type)

image1417×528 23.5 KB

Detailed View of User_Employee_Type

image1491×877 20.3 KB