Active directory entitlement Deletion along with member removal

IdentityIQ (IIQ) IIQ Discussion and Questions
,
1

Hi ,

We need to delete an Active Directory entitlement group using Bean shell code. To achieve this, we must first remove all members from the entitlement group, and then proceed to delete the entitlement from both SailPoint and target side in single provisioning plan.

can anyone on help/ provide suggestion how can we achieve the usecase.

2

@vinaygopal221

You can follow the approach below:

  1. Write a method to find all the users who have this entitlement/group in IIQ.
  2. Write a method to generate a plan for a user to remove the entitlement.
  3. Pass this plan to LCM Provisioning or use the Provisioner API.
  4. Once entitlements are removed from the user, then.
  5. Write a method to delete an object from IIQ. Use Provisoner to execute the plan.
3

You can use it to remove the group/entitlement of a user from IIQ.

/***
	 * 
	 * @param value
	 * @param appName
	 * @return
	 */
	public String removeEntFromIIQ(String samAccountName, String appName, List listOfEnt) {
		logger.info("Entering method removeEntFromIIQ");
		String isSuccess = "failure";
		Identity idn = context.getObjectByName(Identity.class, samAccountName);

		try {
			ProvisioningPlan plan = new ProvisioningPlan();
			AccountRequest accRequest = new AccountRequest();

			accRequest.setApplication(appName);
			accRequest.setOperation(ProvisioningPlan.AccountRequest.Operation.Modify);
			accRequest.setNativeIdentity(samAccountName);

			if(null != listOfEnt&& !listOfEnt.isEmpty()) {
				for(String adGroup: listOfEnt) {
					accRequest.add(new ProvisioningPlan.AttributeRequest("memberOf", ProvisioningPlan.Operation.Remove, adGroup));
				}
			}

			plan.add(accRequest);
			plan.setIdentity(idn);

			try {
				Provisioner provisioner = new Provisioner(context);
				provisioner.compile(plan);
				provisioner.execute(plan);
				isSuccess= "success";
			}catch(Exception ex) {
				logger.error("Exception occurred while doing provisioning "+ ex.getMessage());
			}
		}catch(Exception exception) {
			logger.error("Exception occurred "+ exception.getMessage());
		}	
		logger.info("Exiting method removeEntFromIIQ");
		return isSuccess;
	}
1 Like
4

For any other method, if you need help, let me know.

5

we need to get members details of one particular group(XYZ), how we can get samAccountName whose having that XYZ group, can you please provide suggestion how we can get those users samAccountName.

6

Use Advanced Analytics to find the users who belong to a certain group.

7

image
image1861×708 25.5 KB

8

You need add a filter in your code block, use Filters to fetch the accounts having that specific group

9

@vinaygopal221 Using a filter, you can try this:

  import sailpoint.object.Filter;
  import sailpoint.object.Identity;
  import sailpoint.object.QueryOptions;

  Filter adFilter1 = Filter.and(
    Filter.eq("identityEntitlements.application.name", "<AD Application Name>"),
    Filter.eq("identityEntitlements.name", "memberOf"),
    Filter.eq("identityEntitlements.value", "<Your Group Name>")
  );

  QueryOptions qo = new QueryOptions();
  qo.addFilter(adFilter1);

  // Return identities matching the criteria
  return context.getObjects(Identity.class, qo);

Make modifications according to your need. return statement will return all the identities that have entitlement. You can use iterator to iterate over the result and get all the identity username.

1 Like
10

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.