Symantec IGA

  • Private Community
 View Only
Back to discussions
Expand all | Collapse all

Loop in Policy Xpress

  • 1.  Loop in Policy Xpress

    Posted Jul 02, 2020 04:50 PM
    Hi,

    I have the following issue:

    I created a policy that runs on "Event Error".

    When this policy is executed and an environment error happens, it starts executing indefinitely. The policy has been configured to ignore environment errors but the error still persists. I would like to know if there is any way to solve this problem.

    Log Message:


    ERROR [ims.tmt.IMSMessageListener] (Thread-45988 (HornetQ-client-global-threads-1380903202)) Exception occured during event processing: EventExecuteStateException: An error occurred while executing AssignProvisioningRoleEvent.

    ERROR MESSAGE:

    PxSystemException: A loop has been detected in the evaluation of data elements. Canceling ...

    An error occurred while performing the action type Action.name.set.string.variable

    An error occurred while executing the workflow Set Variable. Stopping event.

                   at com.ca.identitymanager.policyxpress.listeners.PxStateListener.execute(PxStateListener.java:152) [identitymanager.jar:]



    Thanks in advance

    Regards

    Martin


  • 2.  RE: Loop in Policy Xpress

    Posted Jul 03, 2020 03:08 PM
    It's difficult to determine what is causing the loop without a better description of the PX Policy or Policies that are triggering the loop.

    If I have specifically configured a PX Policy that has the potential to loop, I'll use a variable or logical attribute as a "counter" to run it a maximum number of times. If that's not possible, I'd try to solve the problem so that the condition creating the loop is not possible. 

    Example 1. We had a case where we were trying to assign a RSA SecurID token, but wanted to execute an external script to perform a single explore/correlate for the user if the tool was not aware of the endpoint account. In this scenario, I'd put a counter in place to run the policy I set number of times when using a "redo policy" type of action.

    Example 2. We once hit a loop because we had a PX Policy that would write information to a logical attribute and send a message to a staging table via stored procedure. I also had another PX Policy that would run on an error to update the staging table with a message of why the task failed. The first PX was attempting to call a stored procedure and sending a "dumb apostrophe" in the message to the staging table. This would create an error trying to insert the data to the table, then attempt to retry over and on the failed event policy. In this scenario we ensured no "dumb apostrophes" in messages written that were going to the staging table. If I could not control the data, I'd perform a check and replace "dumb apostrophes" with "closing apostrophes" before sending the data to a staging table.
    Original Message


  • 3.  RE: Loop in Policy Xpress

    Posted Jul 03, 2020 04:32 PM
    Adam,

    thanks for answering

    Let me explain a little more what was done:

    1) A first policy calls a WebService to obtain X data (to replacate the loop I forced a connection error timeout to happen). This policy runs when an Error in the AssignProvisioningRole happens.
    2) This first policy (Action Rules) sets the value of X in a variable that is used by a second policy and sends X to a second WebService
    3) The second policy gets the value ​​of the variable from the first policy and sends an email if the value ​​could be obtained or not.
    4) When you see the log, you could see 

    Regards

    Martin
    Original Message


  • 4.  RE: Loop in Policy Xpress

    Posted Jul 03, 2020 05:02 PM
    This is just my best guess currently...

    Possibly the variable is not available due to using different PX policy "TYPES". Maybe the variable is being set on an EVENT like, before AssignProvisiongRoleEvent and you are trying to get the variable with a TASK Failed type of PX Policy on a failure. Since the variable cannot be read, it causes a loop.

    If I recall correctly, the PX variables can only be used within the same TYPE of PX Policy. 

    I could be way off base, when you say variable, I'm assuming PX variable.
    Original Message


  • 5.  RE: Loop in Policy Xpress

    Broadcom Employee
    Posted Jul 03, 2020 06:16 PM
    PX variables can only be retrieved by a PX policy that is of the same type as the PX policy that sets them. You set the variable in the Action tab of a policy, and you retrieve it in the Data tab of a subsequent policy or policies.
    Original Message


  • 6.  RE: Loop in Policy Xpress

    Posted Jul 06, 2020 02:56 PM
    Iyes,

    thanks for answering. The 2 policies are of the same type but the loop persists

    Regards

    Martin
    Original Message


  • 7.  RE: Loop in Policy Xpress

    Broadcom Employee
    Posted Jul 06, 2020 03:00 PM
    Martin, can you explain what you mean when you say the loop persists?

    Thanks!
    Original Message


  • 8.  RE: Loop in Policy Xpress

    Posted Jul 06, 2020 03:08 PM
    Iyes,

    I mean, when you check the log, you start having messages one after the other indicating that a loop happens. The application tries to cancel it, fails and runs the same process again.

    If, I don't disable the policy at that time, the log fills up in a short time since the task never ends and is in progress.

    If you enter the VST (View Submitted Task), you can see that the task is in progress but the task's events are finished.
    If you see the log, it starts writing error messages associated with the loop

    That's what I call "The error Persists"

    Regards

    Martin
    Original Message


  • 9.  RE: Loop in Policy Xpress

    Posted Jul 06, 2020 02:54 PM
    Adam,

    the policies are of the same type. What's more, if I don't force the error to occur, the second policy correctly receives the data, so I don't think that's the problem

    And you're right, Variable = PX Variable, sorry about that

    Regards

    Martin
    Original Message


  • 10.  RE: Loop in Policy Xpress

    Posted Jul 06, 2020 02:59 PM
    When the error happens and get this error

    PxSystemException: A loop has been detected in the evaluation of data elements. Canceling ...

    I think it is impossible to cancel the event / task then the application, retry indefinitely
    Original Message


  • 11.  RE: Loop in Policy Xpress

    Broadcom Employee
    Posted Jul 06, 2020 03:03 PM
    Are you doing a list iterator?
    Original Message


  • 12.  RE: Loop in Policy Xpress

    Posted Jul 06, 2020 03:42 PM
    Here're the Data Elements

    Data Elements
    I'm not doind a list iterator

    Original Message


  • 13.  RE: Loop in Policy Xpress

    Posted Jul 06, 2020 07:33 PM
    Looking back at your original message, it looks like the error is occurring trying to set the PX variable instead of during the get operation. I don't know enough about the Policies you have to provide meaningful input.

    The best I can say is just generic suggestions, such as can the entry or action rules be adjusted to accommodate for the scenario you are attempting to test? Is it something like if "PX Variable" equals "", then redo current policy on the "Error Event"?​

    I'd definitely would be interested to see what you have if you could scrub any sensitive data from the .xml files for the policies in question.
    Original Message


  • 14.  RE: Loop in Policy Xpress

    Broadcom Employee
    Posted Jul 06, 2020 07:44 PM
    As a test please try to set the variable to a constant value and then retrieve it in the next PX. If you don't get the looping error then, revert back to original and write message to VST with the value of the variable that you are setting.

    thanks!
    Original Message


  • 15.  RE: Loop in Policy Xpress

    Posted Jul 07, 2020 03:18 PM
    Iyes,

    I did what you asked me and effectively the loop didn't occur.

    When I try to show it in the VST it appears empty and in the log it appears that it is a NULL value. So I guess that the policy fails because I want to set a NULL value on a PX Variable

    To set the value of the variable, I do a get to a Webservice which, when answering me timeout, cannot set the value in the variable (NULL)

    On the other hand, I tried to put a condition in the PX action rules to set the value of the variable as long as it has been possible to obtain a value but it's never executed.

    Is there a way to avoid this problem or to resolve the NULL value?

    Regards

    Martin
    Original Message


  • 16.  RE: Loop in Policy Xpress

    Broadcom Employee
    Posted Jul 07, 2020 03:58 PM
    Edited by Iyes Dendeni Jul 07, 2020 04:01 PM
    So if I understand correctly, you have the following flow:

    1) The value of the variable is retrieved with a REST API call in the Data elements of the first PX.
    2) The variable is set to this value in Actions tab of the first PX
    3) The value of the variable retrieved in the Data tab of the second PX
    4)  Perform additional business logic in PX2 using the value of the variable (could be REST API calls)

    Let's forget about the looping issue for now. Assuming the above is the flow, the question then what happens if the value retrieved in step 1 is null? Will it have an impact on step 4? 

    If the additional business process in step 4 is perfectly fine with a null value of the variable, then why not perform the following:

    a) Test for null value in step 1,
    b) If null then set the value in the Action tab of PX1 to the literal string NULL. 
    c) Retrieve variable in PX2 (this is step 3 above), and test for string value "NULL" (additional data handling logic to step 3 above)
    d) If string compare matches "NULL", set the value to null (real null) and execute your business logic (step 4)

    Let us know if this helps, otherwise I'm afraid we will need more information about what you're doing exactly. You can open a support case, and we can move this discussion there if there is concern about sharing additional information.

    Thanks!



    Original Message


  • 17.  RE: Loop in Policy Xpress

    Posted Jul 08, 2020 12:35 PM
    Iyes,

    1) The value of the variable is retrieved with a REST API call in the Data elements of the first PX.
    2) The variable is set to this value in Actions tab of the first PX
    3) The value of the variable retrieved in the Data tab of the second PX
    4)  Perform additional business logic in PX2 using the value of the variable (could be REST API calls)

    this is right what I'm doing.

    "Let's forget about the looping issue for now. Assuming the above is the flow, the question then what happens if the value retrieved in step 1 is null? Will it have an impact on step 4?"

    Answer: It doesn't have an impact on the second policy. The problem I guess the problem comes when I tried to set a NULL value on a PX Variable

    I believe that the second policy is not the problem since, although the first policy fails, the second policy receives "empty" as value.

    On the other hand, I tried setting a condition that evaluates if, the obtained value is equal to NULL but, it did not work. The condition was not evaluated at any time

    Regards

    Martin
    Original Message


  • 18.  RE: Loop in Policy Xpress

    Posted Jul 07, 2020 03:27 PM
    Adam,

    From what I was testing, when setting values ​​in variables through Data Elements and they could not be calculated correctly (NULL value), the policy fails and when it is set to error, it enters a loop. For now it is an assumption not something concrete.

    If so, do you know of any way to replace the NULL value?

    Regards

    Martin
    Original Message


  • 19.  RE: Loop in Policy Xpress

    Posted Jul 07, 2020 03:53 PM
    Could an Action Rule(s) be set with Priority 0 on the Policy setting the PX Variables to try to redo the current Policy to account for the connection error timeout? This might be a good time to use a counter via PX Variable to run a certain amount of times with a Sleep action as well. Possibly try 5 times with a 60 second sleep each time the PX is evaluated and any of the other PX Variables are NULL. If PX Variables are still NULL, have Action Rule Priority 1 end the task. Action Rule(s) Priority 2+ could set the PX Variables if previous conditions were not met.

    I have not tested this, just my first thought on how I'd start trying to solve for it.
    Original Message


  • 20.  RE: Loop in Policy Xpress

    Posted Jul 08, 2020 11:33 AM
    Adam,

    I don't understand very well the general idea. Could you clarify it a little more please?

    Is this possible to do? I think it isn't.

    Could you explain to me how the policy could be configured so that it is automatically re-executed x number of times and if it is not successful, it is canceled?

    Regards

    Martin
    Original Message


  • 21.  RE: Loop in Policy Xpress

    Posted Jul 07, 2020 04:01 PM
    Another thing that I saw was that, the policies that are executed in the error of an event / task, it is possible that due to some error, for example of environment, it causes that the data elements cannot be calculated correctly, which causes NULL values. that if they later want to work in Action Rules for example, they may produce a loop
    Original Message


  • 22.  RE: Loop in Policy Xpress

    Posted Jul 08, 2020 12:13 PM
    In general, what I am proposing is a validation that data was received before attempting to set the PX Variable(s). I think setting the PX Variable with NULL data is creating the error, which is resulting in a loop.

    As a real life example. I have a PX Policy where I validate a customer has an account on the targeted endpoint (that IM is aware of) before attempting to assign an RSA Token to it. We only run our Explore/Correlate processes daily, and someone could have had a new account created outside of the tool.

    In this Policy the Action Rules are below
    1. Maximum Attempts Exhausted - Condition Get varCounter Equals 5 - Priority 0
      1. if this condition is met, the below actions are performed
        1. Write an Error Message
        2. Stop Processing
    2. RSA Account - Account Correlation Script - Condition Get RSA Account Not contains the selected RSA endpoint - Priority 1
      1. If this condition is met, the below actions are performed.
        1. Execute Explore Correlate Script for the user and endpoint
        2. Sleep 5 Seconds
        3. Go to Policy that sets the varCounter variable


    Before this PX Policy executes, I set a data element "varCounter" in another PX Policy.
    In this if varCounter = NULL set it to 1
    If varCounter = 1, set it 2
    etc.

    If the varCounter gets to 5, the action rule mentioned in the other Policy "Maximum Attempts Exhausted" takes over and stops the Task.
    Original Message


  • 23.  RE: Loop in Policy Xpress

    Posted Jul 16, 2020 04:29 PM

    Adam,

    I tried the following:

    - I created a policy that runs on the error that, initializes a counter to 0 and saves the value in a variable

    - I tried to pass that variable to another policy that also runs on the error

    - When the error occurs, the value of the variable from one policy to the other is not passed correctly (I get empty value). It seems to me that it is not possible to perform this action on the error but you can perform it at any other time of the event


    - Another thing I tried was to use that empty value as a condition in the second policy but the policy did not work correctly

    Regards

    Martin


    Original Message


  • 24.  RE: Loop in Policy Xpress

    Posted Jul 18, 2020 12:21 PM
    I am not specifically proposing that you run it on error, and it may also be helpful to set to ignore environment issues on the particular policy that is attempting to get data via webservices call. I'm proposing to accept the possibility that you may not receive data due to network or other issues, and if the data element is null, don't try to set the PX variable, and try to run the request again with a counter. After you've satisfied a specific number of tries, then fail the task via PX if the data element is null and the counter has reached a specific number.

    The disclaimer is, I haven't specifically run into your specific scenario to test this.  It's merely a suggestion of a possible way to handle it. It might be helpful for you to open a support case as Iyes mentioned.
    Original Message