Assigning Entitlement directly to Identity (to skip creation of birthright roles)

IIQ 8.3p2

Hello all,
I’m trying to figure out how to assign entitlement using ProvisioningPlan, I’m running the following:

identity - identity object
rolename - string with role name

ProvisioningPlan assignmentPlan = new ProvisioningPlan();
roleAssignmentPlan.setIdentity(ident);
roleAssignmentPlan.setSource("SomeName");

AccountRequest accountRequest = new AccountRequest();
accountRequest.setApplication(ProvisioningPlan.APP_IIQ);

AttributeRequest att = new AttributeRequest();
att.setName(ProvisioningPlan.ATT_IIQ_ASSIGNED_ROLES);
att.setOperation(ProvisioningPlan.Operation.Add);
att.setValue(roleName);

accountRequest.add(att);

roleAssignmentPlan.add(accountRequest);

Provisioner provisioner = new Provisioner(context);
provisioner.execute(roleAssignmentPlan);

But either it won’t provision the entitlement or I’m doing something wrong.
I can’t figure out what I’m missing here.

Thanks in advance.

Hi @AdrianBialorucki,

Try with this code. Repalce the identity and role.

identity - identity object
rolename - string with role name

ProvisioningPlan assignmentPlan = new ProvisioningPlan();
assignmentPlan.setIdentity(identity);
assignmentPlan.setSource("SomeName");
List accReqs = new ArrayList();
AccountRequest acctReq = new AccountRequest(AccountRequest.Operation.Modify, ProvisioningPlan.APP_IIQ, null, identity.getName());
accReq.add(new AttribureRequest(ProvisioningPlan.ATT_IIQ_ASSIGNED_ROLES, ProvisioningPlan.Operation.Add, roleName));
accReqs.add(accReq);
assignmentPlan.setAccountRequests(accReqs);

Provisioner provisioner = new Provisioner(context);
provisioner.compile(assignmentPlan);
provisioner.execute();
2 Likes

Hello Arun,

Thank you for your reply!

It seems to be working - I can see the group being provision in the Admin Center, but I’d like to ask something to see if I understand this process fully.

Here:

AccountRequest acctReq = new AccountRequest(AccountRequest.Operation.Modify, ProvisioningPlan.APP_IIQ, null, identity.getName());

the “ProvisioningPlan.APP_IIQ” should be directed at the application - let’s call it SAP_Hana_P40_Tenant, in which I’d like to assign the group to user? Or it should remain as IIQ and IIQ will then provision the group during aggregations?

Regards,

If your defined role in IIQ has entitlements related to “SAP_Hana_P40_Tenant”, then keep the application as IIQ. That would mean adding the IIQ role to the user which applies the entitlements defined in the role.

1 Like