Batch Request for Deleting Managed Attributes?

ChristopherTodd · July 7, 2023, 8:37pm

We have a custom workflow that creates new groups in Active Directory, and while testing this workflow, we created quite a few test groups. We’d like to implement a process for cleaning them up. Since they are being run through the Entitlement Update workflow, they show up in the Provisioning Transaction table, so I thought I might be able to schedule a Provisioning Transaction report, and use the resulting CSV (with slight tweaks) in a Batch Request to delete those Managed Attributes (and their associated AD groups). But when I looked at the docs for Batch Requests, DeleteManagedAttribute or DeleteEntitlement are not available as operation types. Is there, by any chance, an undocumented feature that would allow me to do this? (And yes, I did actually try it, and got an “Invalid Operation” error).

And yes, I know I could write a rule, run it from a task, (or probably a half dozen other ways) etc., but I’m trying to do the simplest thing that could possibly work, and also avoid doing any (more) custom development work. TIA for any suggestions you might have.

Abhisinha89 · July 10, 2023, 12:14am

As you have the CSV with the details of the ManageAttributes to be deleted, you can utilise the IIQ Console to delete the ManagedAttributes.

Create a txt file with the list of ManagedAttributes IDs

delete ManagedAttribute <ID1>
delete ManagedAttribute <ID2> 
.
.
delete ManagedAttribute <IDn>

Utilise the Source command of the IIQ Console to delete the ManagedAttributes

source

brian_weigel · July 10, 2023, 1:09pm

The proper thing to do here would be to delete the AD groups in AD then run a Group Aggregation with Detect Deleted Groups enabled. If you have the DNs of the AD groups you created, you should be able to construct a provisioning plan to delete them all and then execute it in IIQ.

Alternatively, you could also do a quick and dirty delete of the AD groups via PoSh on your IQService host (it will have the AD PoSh tools installed already): Remove-ADGroup - PowerShell - SS64.com

Note that if you had a good naming convention for the AD groups, you can possibly do a one-line command like this example:

# Get all groups whose name starts with 'SS64' and remove them:

get-adgroup -filter 'Name -like "SS64*"' | remove-adgroup

ChristopherTodd · July 10, 2023, 2:31pm

Brian and Abhishek, thanks for your suggestions, I really appreciate it. In the spirit of doing the simplest thing that could possibly work, using the CSV from the OOTB Provisioning Transaction and sending that to our AD admins, for them to use as input to a PowerShell script is the answer. Then a scheduled Group Aggregation with Detect Deleted Groups selected, and everything is back to normal. Thanks!

system · September 8, 2023, 2:32pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Batch Request for Deleting Entitlements and Roles from several users at once IIQ Discussion and Questions identityiq , roles , entitlements	6	594	November 12, 2023
Remove requested entitlements on termination ISC Discussion and Questions identity-security-cloud	10	1211	November 25, 2023
Audit events in Track Requests? IIQ Discussion and Questions rules , identityiq , provisioning	3	220	April 22, 2024
Unable to delete object using IIQ console IIQ Discussion and Questions identityiq	5	75	October 11, 2024
Remove identity's manager via workflow IIQ Discussion and Questions workflows , identityiq , identities	7	626	November 17, 2023

Batch Request for Deleting Managed Attributes?

Related topics