developer.sailpoint.com icon indicating copy to clipboard operation
developer.sailpoint.com copied to clipboard
verified publisher icon sailpoint-oss

[Bug] 'Update SOD policy by ID' (set-sod-policy) shouldn't require policyQuery parameter on Conflicting Access Based Policies

Open liisball opened this issue 2 years ago • 1 comments

Describe the bug

When updating SoD policies via the PUT /sod-policies/:id endpoint, it returns 400.1 Bad request content, although as per API documentation all fields are correct. In particular, the policies we're trying to update have "type": "CONFLICTING_ACCESS_BASED" and conflictingAccessCriteria present, but no policyQuery field (because it shouldn't be necessary for that type of policy). The error goes away if policyQuery is added, and it needs to be equal to the current (not updated) policy query. This seems like a bug, these requests should pass without policyQuery being set.

To Reproduce

Here is an example request that returns 400.1 in our sandbox environment:

PUT https://<domain>/v3/sod-policies/<id>
{
    "name": "<policy_name>",
    "description": "<policy_description>",
    "type": "CONFLICTING_ACCESS_BASED",
    "ownerRef": {
        "type": "IDENTITY",
        "id": "<identity_id>"
    },
    "state": "ENFORCED",
    "conflictingAccessCriteria": {
        "leftCriteria": {
            "name": "<left_criteria_name>",
            "criteriaList": [
                {
                    "type": "ENTITLEMENT",
                    "id": "<entitlement_id1>"
                }
            ]
        },
        "rightCriteria": {
            "name": "<right_criteria_name>",
            "criteriaList": [
                {
                    "type": "ENTITLEMENT",
                    "id": "<entitlement_id2>"
                }
            ]
        }
    }        
}

When adding policyQuery to this same request, it returns 200. Other than logical considerations, the problem with adding policyQuery to this request is that sometimes the query is very long (we have a lot of criteria in these lists, and quite a few policies), and this results in a 500 response due to some sort of processing error.

Expected behavior: For the request to pass without setting policyQuery when the type is CONFLICTING_ACCESS_BASED

Actual behavior: A 400.1 Bad request content response

liisball avatar Oct 31 '23 12:10 liisball

🎉 Thanks for opening your first issue here! Be sure to follow the issue template, and welcome to the community! 🙌

codey-bot[bot] avatar Oct 31 '23 12:10 codey-bot[bot]