API to delete an IIQ application

Im wondering if there is an api to programatically delete an application using the plugin im building?

If you’re building a plugin, your plugin code should have access to the Sailpoint context, which means you can code that out (note that you will want to use the sailpoint.api.Terminator class to do that safely).

1 Like

As Brian mentioned, you can use terminator class to delete application, but you need to be cautious, deleting application will attempt to remove link and other references in SailPoint object model in the database if you are application has several K records, you may want to consider performance hit.

2 Likes

Deleting just the application with the Terminator is usually not sufficient. When we decommission existing application which has links, then we use the Rule which first finds all links users have and deletes links with the Terminator. It is also better to do it with multiple threads. And finally, all this should be preferably packed into the workflow because Im not sure whether just the API call is sufficient and wont timeout etc. effectively terminating the process.
In real world scenario having an API to delete application could get very complex. You likely need to verify if the caller has rights to delete application, etc.

Agreed with @neeme_vool. Deleting an application can have adverse effects in IIQ. I typically avoid deleting the Application object itself for many reasons. One example would be an issue I found in identity refreshes with process events. If the old identity (IdentityArchive) being compared to the current identity has a Link with a reference to a deleted Application, the refresh process will start throwing null pointer exceptions because it can no longer resolve that reference.

If you want to delete the Application with Terminator, you would probably need an additional logic to delete other references which the Terminator class does not clean up such as the IdentityArchive Link references, Attribute and Role assignment on identities that reference the application, TaskDefinitions that reference the application, etc.

Isn’t the terminator class meant to delete all reference objects as well, I believe that is the same class IIQ console uses when deleting application and removes all references.

Yes it is, but it’s not perfect in that regard. Some things like IdentitySnapshot and CertificationArchive objects hold references to Applications, ManagedAttributes, etc. that the Terminator API doesn’t resolve or traverse, which can cause problems whenever those objects are accessed later.

Brian, do you have comprehensive list which objects must be deleted explicitly besides Link objects when decommissioning the Application? Because some entities in IdentitIQ do not have hard reference to the Application in the form of Id but by name. And in such cases missing Application does not cause a problem. So far we have been succeeded to decommission application by iterating Link objects and deleting them with Terminator. And after that we use Terminator on Application. Have you experienced NPE-s when deleting only Links?

You need to check the TaskDefinitions and remove the application from or the complete TaskDef for the account and group aggregations. Also check any mention of the application in reports or certification definitions.

Be aware the application will still be visible in shapshots, certification objects, audit-event etc (all history/historical objects). This will not interfere with the working/processing of IIQ.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.