Which IIQ version are you inquiring about?
8.3sp2
Issue Summary
I have code that will remove assigned roles based on a condition. However, I am having a hard time pulling the right data from the assigned role Bundle object to successfully check for the condition for removal correctly. My condition is:
if (role's parent application == appName), then remove it
In the GUI on sailpoint, I can see what application the assigned role is associated with. However, I cannot always find it when traversing the objects via code. Sometimes it is in the required role’s .getApplications() return data, and sometimes it is just blank. Also, I have tried to use .referencesApplication but it does not return the true condition when I believe it should (I am printing out the comparison data to ensure that I can see it iterating through the desired apps and roles).
Breakdown of data desired:
For all assigned roles, the .getApplications() method will return an empty list.
For the Bundles returned from assignedRole.getRequirements(), the getApplications() on those elements will sometimes return the app name they are associated with.
Ideal Solution
I would want a piece of code that will always return the elements that can be found here in the GUI on the Entitlements tab.
Trouble Code
public static void RemoveRequestableRole(Identity identity, Link Link, String appName, String FlowName, String FlowDescription)
{
// just for fun... these should never be null
if (identity == null || Link == null || appName == null || FlowName == null || FlowDescription == null)
{
return;
}
// Creates provisioning plan and account request to modify user's assigned roles
ProvisioningPlan plan = new ProvisioningPlan ();
plan.setIdentity(identity);
AccountRequest accountRequest = new AccountRequest();
accountRequest.setNativeIdentity(identity.getName());
accountRequest.setOperation(ProvisioningPlan.AccountRequest.Operation.Modify);
accountRequest.setApplication("IIQ");
taskResult.addMessage(new Message(Message.Type.Info,"AppName: " + appName, null));
// Iterate through assigned roles on Cube
List assignedRoles = identity.getAssignedRoles();
for (Bundle b: assignedRoles)
{
// Iterate through IT role requirements to match on the app we want to remove
taskResult.addMessage(new Message(Message.Type.Info,"Assigned: " + b.getFullName(), null));
taskResult.addMessage(new Message(Message.Type.Info,"Assigned Role Apps: " + b.getApplications(), null));
Application tst_app = context.getObjectByName(Application.class, appName);
taskResult.addMessage(new Message(Message.Type.Info,"Required Role reference in " + tst_app.getName()+ ": " + b.referencesApplication(tst_app), null));
List requiredRoles = b.getRequirements();
for (Bundle req : requiredRoles)
{
taskResult.addMessage(new Message(Message.Type.Info,"Required Role: " + req.getFullName(), null));
taskResult.addMessage(new Message(Message.Type.Info,"Required Role Apps: " + req.getApplications(), null));
taskResult.addMessage(new Message(Message.Type.Info,"Required Role reference in " + tst_app.getName()+ ": " + req.referencesApplication(tst_app), null));
// Iterate through applications the roles can be applied to
Set reqApps = req.getApplications();
for (Application app : reqApps)
{
// If we match, then remove this bad boi
if (app.getName().equals(appName))
{
// Created attribute request to modify the IIQ application on the Cube level
taskResult.addMessage(new Message(Message.Type.Info,"Role to remove: " + b.getFullName(), null));
AttributeRequest ar = new AttributeRequest(ProvisioningPlan.ATT_IIQ_ASSIGNED_ROLES , ProvisioningPlan.Operation.Remove, b.getFullName());
accountRequest.add(ar);
}
}
}
}
// Now that plan is built, send off to workflow scheduler
plan.add(accountRequest);
// Add the attributes to be used in the workflow
Attributes wfArgs = new Attributes();
wfArgs.put("flow",FlowName);
wfArgs.put("identityName",identity.getName());
wfArgs.put("application", appName);
ScheduleWorkflow(plan,wfArgs,"CNS LCM Provisioning", FlowDescription + identity.getDisplayableName()+" ("+identity.getName()+")");
}