Assigning an entitlement on link creation

IdentityIQ (IIQ) IIQ Discussion and Questions
, ,
1

Which IIQ version are you inquiring about?

8.3

Share all details about your problem, including any error messages you may have received.

When we provision Atlassian users, we want to add a group on to each new account. This group represents all of our service desk customers. Atlassian accounts are provisioned for users when they select a user name, which is a separate attribute from the Sailpoint identity name. The group has been aggregated into our system as the entitlement jira-servicemanagement-customers-portlandstate.

2

Depending on how accounts are provisioned in this application, birthright or request based etc.

The simplest way is to define a role that includes this group and assign that role to the user during account creation.

3

Hi @adevore ,

As @ajmerasunny says, this would be best done in a BeforeProvisioning Rule of the Atlassian application.

Here you can find an example of how to do it:

import sailpoint.object.ProvisioningPlan;
import sailpoint.object.AccountRequest;
import sailpoint.object.AttributeRequest;

// Only act if there's a provisioning plan
if (plan != null) {
    List acctRequests = plan.getAccountRequests();

    for (AccountRequest acctReq : acctRequests) {
        // Target the Atlassian app and creation op
        if ("Create".equalsIgnoreCase(acctReq.getOperation())) {

            // Check if group entitlement already present
            boolean hasEntitlement = false;
            List attrRequests = acctReq.getAttributeRequests();

            if (attrRequests != null) {
                for (AttributeRequest ar : attrRequests) {
                    if ("groups".equalsIgnoreCase(ar.getName()) &&
                        ar.getValue() != null &&
                        ar.getValue().toString().contains("jira-servicemanagement-customers-portlandstate")) {
                        hasEntitlement = true;
                        break;
                    }
                }
            }

            // If not present, add the default group
            if (!hasEntitlement) {
                AttributeRequest groupAttr = new AttributeRequest();
                groupAttr.setName("groups");
                groupAttr.setOperation("Add");
                groupAttr.setValue("jira-servicemanagement-customers-portlandstate");

                acctReq.add(groupAttr);

                log.info("Added default Atlassian group entitlement to new account.");
            }
        }
    }
}

return plan;

:magnifying_glass_tilted_left: Key Details

  • This logic triggers only on account creation (op = "Create").
  • It checks whether the entitlement is already present.
  • If not, it adds it explicitly using AttributeRequest.
  • This assumes the entitlement is managed as a group-type attribute, named "groups".

Hope this helps! :rocket: Let me know if you have any questions.

4

You can create an IT role and associate the default group with it. Then, create a business role that includes the previously created IT role. Additionally, define an assignment rule. Any identity that meets the criteria specified in the assignment rule will automatically be assigned this business role along with the associated entitlements.

5

It looks like we’re going with Ramanayya’s solution. Everyone who gets this application provisioned has a predictable pattern that I can match against for a business role. From there, I can produce an IT role. The business role could be useful for other situations as well.

6

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.