Identity Broker Forum
Welcome to the community forum for Identity Broker.
Browse the knowledge base, ask questions directly to the product group, or leverage the community to get answers. Leave ideas for new features and vote for the features or bug fixes you want most.
Inconsistent import/export treatment of accountExpires AD attribute values
When I import accountExpires for an AD user object as a Date field type the value I see matches the value in AD Users & Computers:
However when I export a value to that field (from a locker via a link in UNIFYBroker/Plus) it is set to the previous date in AD:
The Import and Export behaviours should match, or else there will be a repeated set/read/set/read loop of the value because the value read back on import won't ever match the value set on export.
For reference, for most HR systems the "end date" or "termination date" is the last date on which an employee has access, which matches the behaviour seen here for Import.
Using Timestamp is the best approach. It must be in UTC to work correctly, however. To achieve this, I had to import my date field as a string, then use the following adapter transform to generate EndDate (for use in Time Offset Flag transforms) and EndTimestampUTC (for mapping to accountExpires on an AD connector):
foreach ($Entity in $entities)
{
$EndDateString = $Entity["EndDateString"].Value
$EndDate = $Null
$EndTimestamp = $Null
if ($EndDateString) {
# EndDate is a [DateTime] object of kind "Unspecified"
# Its value is midnight at the start of the last day of the employee's access, as interpreted in the local timezone
# Note: Adjust this if $EndDateString is not in m/d/yyyy format.
$EndDate = [DateTime]::ParseExact($EndDateString, "M/d/yyyy", [System.Globalization.CultureInfo]::InvariantCulture)
# EndTimestamp is a [DateTime] object of kind "Utc"
# Its value is the UTC (GMT) representation of the exact second when the user account should be disabled -
# in this case midnight in the local timezone at the start of the day after the End Date. If you need access to be terminated earlier than this
# (e.g. 5pm in the local timezone on their last day) then change the .AddDays(1) accordingly.
# Make sure the timezone specified is correct for the End Date specified.
$EndTimestampUTC = [TimeZoneInfo]::ConvertTimeToUtc($EndDate, [TimeZoneInfo]::FindSystemTimeZoneById('AUS Eastern Standard Time')).AddDays(1)
}
$Entity["EndDate"] = $EndDate
$Entity["EndTimestampUTC"] = $EndTimestampUTC
}
Entity not updating after Foreign Multivalue Group relationship connector entity change
Adapter "AD Groups" has a FMG transform to connector "AD Entitlement Control Groups". When an existing entity in that connector updated (to add a second value to the "member" multivalued attribute) the FMG did not re-evaluate on the adapter. Running an Import All on AD Entitlement Control Groups did not update the AD Group adapter entity, and neither did running an Import All on the AD Groups adapter's base connector. The FMG field was only updated when I ran Generate Changes on the AD Groups adapter directly.
ContextNonUnique for synchronised entity returns entity with no duplicate context
When calling CheckFieldUniqueness in a synchronisation task the ContextNonUnique function returns an entity for which no duplicate context exists other than the synchronised entity itself. I suspect it is failing to exclude itself from the check, and that no-one has noticed this before because most of the time CheckFieldUniqueness is called in a provisioning task and so the entity doesn't yet exist in the target entity space.
"Changes register item process on failed / failed with reason Value cannot be null." error after
UNIFYBroker/Plus importing AD Users into a locker. The 'member' field is locker-to-adapter mapped. When I change the member field value in AD and run an Import All on the AD users connector, the following error is logged:
20210118,04:24:11,UNIFYBroker,Change detection engine,Error,"Changes register item processing on failed.
Parameter name: collection. Duration: 00:00:00.0139980
Error details:
Parameter name: collection. Duration: 00:00:00.0139980
Error details:
System.ArgumentNullException: Value cannot be null.
Parameter name: collection
at System.Collections.Generic.HashSet`1..ctor(IEnumerable`1 collection, IEqualityComparer`1 comparer)
at Unify.Product.IdentityBroker.MultiRelationalTransformationContribution.GetChangedMultiValues(IEntityPair entityPair, Boolean relevantFieldsChanged)
at System.Linq.Enumerable.d__23`3.MoveNext()
at System.Linq.Enumerable.WhereSelectEnumerableIterator`2.MoveNext()
at System.Linq.Buffer`1..ctor(IEnumerable`1 source)
at System.Linq.Enumerable.ToArray[TSource](IEnumerable`1 source)
at Unify.Product.IdentityBroker.EntityPartitionPostgreSqlContextBase`3.GetEntitiesByFieldValues(TEntityKey field, IEnumerable`1 values)
at Unify.Product.IdentityBroker.MultiRelationalTransformationContribution.d__25.MoveNext()
at System.Linq.Enumerable.d__17`2.MoveNext()
at System.Linq.Enumerable.d__17`2.MoveNext()
at System.Linq.Enumerable.d__64`1.MoveNext()
at System.Linq.Buffer`1..ctor(IEnumerable`1 source)
at System.Linq.Enumerable.ToArray[TSource](IEnumerable`1 source)
at Unify.Product.IdentityBroker.ChainedTransformationChangeProcessor.PublishChange(IEntityPair[] changedEntityPairs, DateTime changeProcessTime, ICollection`1 changeRecords)
at Unify.Product.IdentityBroker.ChainedTransformationChangeProcessor.ProcessChangeReport(IDictionaryTwoPassDifferenceReport`4 changesReport, DateTime changeProcessTime)
at Unify.Framework.Visitor.Visit[T](IEnumerable`1 visitCollection, Action`2 visitor)
at Unify.Product.IdentityBroker.ChangeReportProcessor.ProcessCurrentReport(IEnumerable`1 adapterTransformationProcessors, IDictionaryTwoPassDifferenceReport`4 differenceReport, DateTime changeTime)
at Unify.Product.IdentityBroker.ChangeReportProcessor.CreateAndProcessReport[T](ITransformationChangeProcessor[] adapterTransformationProcessors, ICollection`1 sourceEnumerable, DateTime changeTime, HashSet`1 invalidEntities, Action`2 addAction, Func`3 addCheck)
at Unify.Product.IdentityBroker.ChangeReportProcessor.ProcessReport(IChangeReportProcessingRequest request)",Normal
This is not urgent, just noting it here for completeness. I don't believe it will impact the solution I'm currently working on.
See also: https://voice.unifysolutions.net/en/communities/6/topics/57-import-all-entitiesfrom-connector-workday-employee-failed-with-reason-value-cannot-be-null for the same error message - ticket closed but it may be that the underlying issue was not identified or fixed.
The fix for this has been included in the latest UNIFYBroker 5.3 release.
"The following entities are missing field used for the join criteria" warning for non-existent entity
After a locker object was deprovisioned, the following warning started appearing when Baseline Sync was run:
20210118,02:44:56,UNIFYBroker,ProvisioningExecutor,Warning,The following entities [Count:1] for the link Entitlement Groups > Azure Cloud Groups (fa3bdd0f-5e3c-4fea-83c0-f7560800340c) are missing the field used for the join criteria: 723878ee-5950-4949-a5a0-3546820373a1: [ Cloud Group Name ],Normal
There is no entity with ID 723878ee-5950-4949-a5a0-3546820373a1 in the Broker/Plus UI. I suspect this is a locker entity that didn't get properly deleted, and this warning is appearing because the locker no longer has a value for 'Cloud Group Name'. But I am unsure if this is the only contributing cause.
Customer environment details are in the first comment. I am currently seeing if I can reproduce the issue.
Could not complete synchronization on link due to a converging join error
The follow error is appearing in my UNIFYBroker/Plus log. Could you tell me more about what it means?
Request to sync changes on link failed.
Request to sync changes on link Employees > AD Users (6410cee2-8159-4cc3-89d6-0a3cc3d46fdb) in direction outgoing failed with message Could not complete synchronization on link '6410cee2-8159-4cc3-89d6-0a3cc3d46fdb' due to a converging join error.
First source entity id: cb04dfa0-66e9-46fd-862d-54512e11f2c3
Second source entity id: fb3ee77f-5370-44e7-b1ce-0b01c39c0f88
Offending target entity id: 4ffd33d1-ec16-464d-90cc-ab0fe7d7b93a [Count:6492]. Duration: 00:00:02.2246402
Error details:
System.Exception: Could not complete synchronization on link '6410cee2-8159-4cc3-89d6-0a3cc3d46fdb' due to a converging join error.
First source entity id: cb04dfa0-66e9-46fd-862d-54512e11f2c3
Second source entity id: fb3ee77f-5370-44e7-b1ce-0b01c39c0f88
Offending target entity id: 4ffd33d1-ec16-464d-90cc-ab0fe7d7b93a
at Unify.Product.Plus.LinkSynchronizer`2.JoinAndMap(IEnumerable`1 filterResult, IDictionary`2 changesDict)
at Unify.Product.Plus.Link.SynchronizeChanges[TSourceEntity,TTargetEntity](IEnumerable`1 changes, IEnumerable`1 syncTasks, Func`1 getTargetContextAccessor, IConnectionsContext connectionContext, ISynchronizationHelper`2 helper, IProvisioner`2 provisioner)
at Unify.Product.Plus.Link.SynchronizeAdapterChanges(IEnumerable`1 changes)
at Unify.Product.Plus.LinkNotifierDecorator.<>c__DisplayClass42_0.<SynchronizeAdapterChanges>b__0()
at Unify.Framework.Notification.NotifierDecoratorBase.Notify[TResult](ITaskNotificationFactory notificationFactory, Func`1 function)
at Unify.Product.Plus.LinkNotifierDecorator.SynchronizeAdapterChanges(IEnumerable`1 changes)
at Unify.Product.Plus.LinkAuditingDecorator.SynchronizeAdapterChanges(IEnumerable`1 changes)
at Unify.Product.Plus.AdapterToLockerSynchronizationJob.RunBase()
at Unify.Product.Plus.SynchronizationJobExecutor.<ThreadAction>d__8.MoveNext()
I found the duplicate adapter record - this is indeed a data error so this ticket can be closed.
Thank you!
UNIFYBroker/Plus locker deprovision doesn't remove entities from CSV or PowerShell connectors
I have a UNIFYBroker/Plus link with outgoing deprovision configured to a CSV adapter/connector, and when a joined locker entity is deleted the joined adapter/connector entity isn't deleted when a Changes Sync is run on the link. It isn't deleted when a Baseline Sync runs on the link, either.
I tried the same process with a PowerShell connector and the same behaviour was apparent (i.e. the adapter/connector entity was not deleted). I added logging and confirmed that the entity was not passed to the PowerShell connector's Delete script at all.
For reference, after Sync the Remove Joins page for the link did not show the deleted entity for either the locker or the adapter.
I don't know of anyone from Professional Services who has used Outgoing Deprovision in a UNIFYBroker/Plus solution before, so it may be worth checking around to see if this functionality has every been exercised before.
Error on AD group provisioning: System.ArgumentOutOfRangeException: Index was out of range. Must be non-negative and less than the size of the collection
The following error is occuring when I provision an AD group using the Active Directory connector. The group provisions just fine, but the following error is logged:
I will put the UNIFYConnect customer environment details in the next message, for access to the log files and config.
Hi Adrian
You'll need to set the Primary Object Class configuration on the connector to "Group", instead of "User". This field is used in the filter of a confirmation search request made after an entity is added to AD.
Access to source entity fields for target entities returned by CheckFieldUniqueness
When using the CheckFieldUniqueness component to ensure target entity field uniqueness I would like to use source entity field values in order to calculate candidate values for the unique field. I'm only aware of a way to access target entity field values.
Is there a way to access the source entities for a target entity in this scenario?
Otherwise, please change this ticket to an Idea to have the ability to do so.
I see. You could just mapping the required values to to fields on the target entities, but assuming you don't want to do that you should process the $joinedEntities collection into a HashTable keyed on the target entities. For example:
$entityMap = @{};
foreach ($joinedEntity in $joinedEntities)
{
$entityMap[$joinedEntity.TargetEntity] = $joinedEntity.SourceEntity;
}
You'll then be able to use the target entities returned by CheckFieldUniqueness to lookup the corresponding source entity efficiently.
Time Offset Flag description in UNIFYBroker doesn't match the implementation or the voice documentation
On the Edit Timeoffset Flag page in the UNIFYBroker UI, the description says:
In particular, "The target value is populated based on whether the current time is less than, equal to or greater than the offset value".
The Voice documentation (https://voice.unifysolutions.net/en/knowledge-bases/7/articles/2888-time-offset-flag-transformation) says:
An actual configuration appears like this in the UI:
When this transform was evaluated on 15/12/2020 for a value of StartDate="03/Feb/2020" the value to which PreStart was set was "Yes".
This matches the UI configuration, and the Voice documentation (i.e. source time compared to NOW - with the source time offset implied). However, it does not match the description in the "Edit Timeoffset Flag" UI (i.e. NOW compared to the offset value - with "offset value" presumably meaning "source time plus offset"). The "Edit Timeoffset Flag" UI description is reversed compared to those others and therefore misleading.
Customer support service by UserEcho
