Active directory entitlement removal

Can anyone help me in this scenario? I need to remove all the access of Active Directory as soon as the user’s LCS state is set to ‘Lapsed.’ I’m already using a ‘Before provisioning’ rule to move users from their current OU to the ‘Lapsed’ OU. Is it possible to add the access removal code to the same ‘Before provisioning’ rule?

Harish G

You need to check how the access is Granted to user in the first place ?

If it is Role criteria, then user will get the access back. Make sure you add LCS as well to your Role assignment criteria.

If it is Access Request, then if you remove just access (entitlements), since user has Role/Access Profile, user will get it back.

I would suggest to use Workflow to remove all the Roles/AP.

Look into this, it might help you.

Workflow to remove ALL leavers’ standing access - IdentityNow (IDN) / IDN Show and Tell - SailPoint Developer Community Forum

Hi @MVKR7T ,

Thank you for your reply. I need to remove the entitlements assigned by the AD team. I believe the current workflow does not support the removal of entitlements. I have tried using the code below in conjunction with the movers code, but it doesn’t seem to be working as expected.

String lcsState = null;
boolean moveOUADFlag = false;

public AttributeRequest newAttributeRequestRemove(String attributeName, Object attributeValue){ 
  AttributeRequest attributeRequest = new ProvisioningPlan.AttributeRequest(); 
  return attributeRequest; 
}"Entering into the code");
if(plan != null){
	Identity identity = plan.getIdentity();
	lcsState = identity.getAttribute("cloudLifecycleState");"Fetching cloudLifecycleState");
	for(AccountRequest accountRequest : plan.getAccountRequests()){
	sailpoint.object.Identity identity = plan.getIdentity();
		    log.debug("Entering the loop");
           List attributes = accountRequest.getAttributeRequests();
		   log.debug("Get Attribute request");
		   String nativeIdentity = accountRequest.getNativeIdentity();
		   String appName = accountRequest.getApplication();
           for(AttributeRequest attribute : attributes){
				moveOUADFlag = true;
				log.debug("Setting the description flag to true");
		   if(lcsState != null && !lcsState.isEmpty()){
		        if(moveOUADFlag && lcsState.equalsIgnoreCase("lapsed")){
					 accountRequest.add(new AttributeRequest("AC_NewParent", ProvisioningPlan.Operation.Set, "OU=Lapsed,OU=Staff,OU=Sandbox,OU=IDM,DC=,DC=local"));
					 log.debug("Moving to Lapsed OU");
				Account adAccount = idn.getAccountByNativeIdentity(appName, nativeIdentity);
			 Map attributes = adAccount.getAttributes(); 
			 Object accountGroups = attributes.get("memberOf");
			  if(accountGroups != null) {
				  List removeList = new ArrayList();
				   accountRequest.add(newAttributeRequestRemove("memberOf", removeList));


Harish G

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.