Solutions
Archived

Policy validation failed error when running reconciliation or using a workflow to set or update attributes to null in OpenIDM 4.5

Last updated Jan 5, 2021

The purpose of this article is to provide assistance if you get a "Policy validation failed" error when running reconciliation, or using a workflow to set or update attributes to null in OpenIDM. In the policyRequirements specified in the log file, you will see [{params={invalidType=null, validTypes=[string]}, policyRequirement=VALID_TYPE}].


Archived

This article has been archived and is no longer maintained by ForgeRock.

Symptoms

Reconciliation

You will see one of the following errors in the OpenIDM log when performing a reconciliation where one of the fields is empty (in this example, it is the title field):

Nov 08, 2016 10:21:02 AM org.forgerock.openidm.sync.impl.ObjectMapping createTargetObject WARNING: Failed to create target object org.forgerock.json.resource.ForbiddenException: Policy validation failed at org.forgerock.json.resource.ResourceException.newResourceException(ResourceException.java:224) at org.forgerock.json.resource.ResourceException.getException(ResourceException.java:330) at org.forgerock.script.exception.ScriptThrownException.toResourceException(ScriptThrownException.java:125) at org.forgerock.script.engine.Utils.adapt(Utils.java:255) ... Caused by: org.forgerock.script.exception.ScriptThrownException: [object Object] {code=403, detail={result=false, failedPolicyRequirements=[{policyRequirements=[{params={invalidType=null, validTypes=[string]}, policyRequirement=VALID_TYPE}], property=title}]}, message=Policy validation failed} Nov 08, 2016 10:21:02 AM org.forgerock.openidm.sync.impl.ObjectMapping$2 recon WARNING: Unexpected failure during source reconciliation f050a1e6-4060-4907-bfff-43e7174a758e-125 org.forgerock.openidm.sync.impl.SynchronizationException: Policy validation failed at org.forgerock.openidm.sync.impl.ObjectMapping$SyncOperation.performAction(ObjectMapping.java:1915) at org.forgerock.openidm.sync.impl.ObjectMapping$SourceSyncOperation.sync(ObjectMapping.java:2225) at org.forgerock.openidm.sync.impl.ObjectMapping$2.recon(ObjectMapping.java:1198) at org.forgerock.openidm.sync.impl.ObjectMapping$ReconTask.call(ObjectMapping.java:1325) at org.forgerock.openidm.sync.impl.ObjectMapping$ReconTask.call(ObjectMapping.java:1298) ... Caused by: org.forgerock.openidm.sync.impl.SynchronizationException: Policy validation failed at org.forgerock.openidm.sync.impl.ObjectMapping.createTargetObject(ObjectMapping.java:581) at org.forgerock.openidm.sync.impl.ObjectMapping.access$1300(ObjectMapping.java:75) at org.forgerock.openidm.sync.impl.ObjectMapping$SyncOperation.performAction(ObjectMapping.java:1808) ... 10 more Caused by: org.forgerock.json.resource.ForbiddenException: Policy validation failed

Workflow

The following response is shown when a workflow tries to set a field to null:

{ "code": 403, "reason": "Forbidden", "message": "Policy validation failed", "detail": { "result": false, "failedPolicyRequirements": [ { "policyRequirements": [ { "policyRequirement": "VALID_TYPE", "params": { "validTypes": [ "object" ], "invalidType": "null" } } ], "property": "title" } ] } }

Recent Changes

Upgraded to, or installed OpenIDM 4.5.

Causes

The schema in OpenIDM 4.5 changed to enforce the type of values that can be set and null is now considered to be its own type. Null was a permitted value in earlier versions of OpenIDM.

Solution

This issue can be resolved by updating the managed object schema to make null a permitted type for the affected field.

You can configure the managed object schema to accept null values by updating the managed.json file (located in the /path/to/openidm/conf directory) and changing the type to null. A property can have more than one type by defining it as an array, for example:

"type" : ["string","null"],
Note

There is a known issue if you set type to ["relationship","null"] that can cause tabs to disappear in the Admin UI in OpenIDM 4.5: OPENIDM-6742 (["relationship","null"] on 'manager' in managed.json causes tabs to disappear in the UI). This is fixed in IDM 5.

See Also

OpenIDM 4.5 Release Notes › Important Changes to Existing Functionality

Integrator's Guide › Validation of Managed Object Data Types

Integrator's Guide › Creating and Modifying Managed Object Types

Related Training

N/A

Related Issue Tracker IDs

OPENIDM-6742 (["relationship","null"] on 'manager' in managed.json causes tabs to disappear in the UI)


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.