IntegrationConfig and using the TraceExecutor class for debugging

  • 7011134
  • 22-Aug-2011
  • 19-Oct-2012


Tested Versions: 5.2

Date: 8/15/2011

Reference Materials

Training Guide / Materials

5.2 Advanced Implementer Training - Session 12 - Sailpoint Novell Identity Manager and Broker Presentation

Demo Data Examples

This assumes the Demo Data package has been installed in the $SPHOME directory.  See the compass downloads for more information.


Product Materials

Use these guides for specific integration examples.

  • 5_2_Access Governance Suite_BMC_IdM_Integration_Guide.pdf
  • 5_2_Access Governance Suite_ITIM_Integration_Guide.pdf
  • 5_2_Access Governance Suite_NovellIDM_Integration_Guide.pdf
  • 5_2_Access Governance Suite_OIM_Integration_Guide.pdf 
  • 5_2_Access Governance Suite_SRM_Integration_Guide.pdf
  • "integration" folder in or ISO file.
  • http://<host>:<port>/identityiq/doc/javadoc

What is an IntegrationConfig?

IntegrationConfig objects define the interaction between Access Governance Suite and external applications for provisioning requests and role synchronization.   Each IntegrationConfig defines the java class that will execute each request, the applications managed and the settings that define the behavior of the integration.

5.2 GA IntegrationExecutor Classes

IntegrationExecutor classes are the java classes that do the provisioning work.  The following are a list of some of the classes that ship with the product.

  • sailpoint.integration.itim.ITIMIntegrationExecutor.class
  • sailpoint.integration.novell.NovellIntegrationExecutor.class
  • sailpoint.integration.remedy.RemedyIntegrationExecutor.class
  • sailpoint.integration.tdi.TDIIntegrationExecutor.class

Debugging using the TraceExecutor class

Debugging a live Integration can be difficult given all of the moving parts.  It can be useful to isolate the downstream provisioning system from Access Governance Suite to debug the provisioning requests being passed to the IntegrationExecutor (OIM, TDI, Novell IDM, etc¦).

Enable TraceExecutor to view requests

  1. Backup the IntegrationConfig objects
  2. Modify the IntegrationConfig and change the executor class to sailpoint.integration.TraceExecutor
  3. All of the provisioning requests will be written to standard out in json format

    <IntegrationConfig name='My Custom Integration'  executor='sailpoint.integration.TraceExecutor'



 Log4j Settings

The following log4j settings can be enabled to further debug the provisioning process.

  • log4j.logger.sailpoint.api.Provisioner=trace
  • log4j.logger.sailpoint.object.ProvisioningPlan=trace

Trace Executor

The TraceExecutor class is an example sailpoint.integration.IntegrationExecutor class used to write the provisioning requests to standard out.   This executor class is useful to debug provisioning integration and role synchronization integration setups.   The JSON object is written to standard out showing the result of the Provisioning Policies, Rules and workflow changes to the provisioning plans.


This example assumes the following setup:

  • At least one application defined with entitlements
  • Identity Cubes built and application data aggregated
  • LCM Enabled

Setup Steps:

  1. Expand the demo data for 5.2 into $SPHOME (or download attached file)
  2. Import the example IntegrationConfig object and example rule.
    1. WEB-INF/config/demo/test/Integration/TraceIntegration.xml
    2. Launch the Integration console
      1. $SPHOME/WEB-INF/bin/iiq integration -j
        1. ( -j loads the Jline command history utility (UNIX/OSX environments))
  1. Test the setup
    1. integration> use "Trace Integration"
    2. integration> ping
    3. A cheerful message appears.

Example Steps:

Now that the IntegrationConfig is loaded any provisioning requests will be sent directly to the TraceExecutor class and written to standard out.   Note that the configuration uses a special flag to enable all applications as managed resources. 

<entry key='universalManager' value='true'/>

This is not a standard setting for live deployments.   Generally you would have an IntegrationConfig object defined for set of Applications, each being defined in the ManagedResources section.

Now letus see what happens when you request a single entitlement.

  1. Login as user that can request entitlements for themselves or others
  2. Select an application and request a single entitlement
  3. If approvals are required, login as the approver and approve the request
  4. Open the application server standard out and view the JSON object printed
TraceExecutor: provision Antonio.Franklin

  "identity" : "Antonio.Franklin",
  "accounts" : [{
    "application" : "Active_Directory",
    "nativeIdentity" : "299",
    "op" : "Modify",
    "attributes" : [{
        "op" : "Remove",
        "name" : "groupmbr",
        "value" : "InternalAudit"
  "args" : {
    "sourceType" : "LCM",
    "requester" : "Aaron.Nichols",
    "requesters" : ["Aaron Nichols"],
    "source" : "LCM",
    "identityLastname" : "Franklin",
    "identityFirstname" : "Antonio",
    "sourceName" : null,
    "identityName" : "Antonio.Franklin",
    "sourceId" : null

 Note that the provisioning plan was also printed out to standard out.   You can also enable the trace flag in workflows to print the provisioning plan before being modified by any configurations or customizations.