Beanshell code to remove a user from an active directory group?

jgruendike · June 27, 2023, 10:54pm

I’ve been doing a lot of searching today but haven’t found a basic example of programmatically removing a member from an active directory group. I’ve been reading about provisioning plans, leaver workflows, and entitlements but I’m new to SailPoint and am trying to keep things simple for now. I’m ok using a provisioning plan but how should it be configured to remove one identity from a ManagedAttribute (ie. AD group)? Thanks

Remold · June 28, 2023, 7:13am

If you have a provisioning plan you can run it using:

Provisioner provisioner = new Provisioner(context);
provisioner.execute(plan);

However I advice to use a WorkFlow to provision the removal of the AD group membership, as the ‘LCM Provisioning’ workflow also performs retrying if needed and is more resilient compared to directly provisioning a plan using the Provisioner.

– Remold

rohit_jaiswal1 · June 28, 2023, 8:39am

Hello,

you can try something like this. Account request execution through Provisioing plan will help. Let me know if the solution works or you need more info on this

AccountRequest ar=new AccountRequest();
        ar.setNativeIdentity(link.getNativeIdentity());
        ar.setApplication(link.getApplicationName());
        ar.setOperation(ProvisioningPlan.AccountRequest.Operation.Modify);

        AttributeRequest attReq = new AttributeRequest();

        attReq.setName("memberOf");

        attReq.setOperation(ProvisioningPlan.Operation.Add); // chnage op to remove 

        attReq.setValue("CN for the entitlment goes here");
        ar.add(attReq);
        accReqs.add(ar);
        plan2.setAccountRequests(accReqs);
        plan2.add(ar);

neeme_vool · June 28, 2023, 11:52am

Seems that previous replies missed your main misunderstanding. To remove user from AD group you really do not touch ManagedAttribute at all. Do not try to draw parallel between real AD group and ManagedAttribute.
Removing user from AD group is similar like removing any other entitlement from the Identity.

You pick the identity
You find the entitlement on the Identity you want to remove
You create a provisioning plan where you provision a Remove operation to that account.

NB! This is NOT production ready code! No verifications, try catches etc. And modifying identity this way is also not correct in certain places like LCM Lifecycle Event workflows where it may affect identity locking etc.

For example:

import sailpoint.api.IdentityService;
import sailpoint.object.Application;
import sailpoint.object.AccountRequest;
import sailpoint.object.AttributeRequest;
import sailpoint.object.ProvisioningPlan;
import sailpoint.object.ProvisioningPlan.AccountRequest;
import sailpoint.object.ProvisioningPlan.AttributeRequest;
import sailpoint.object.ProvisioningPlan.Operation;
import sailpoint.api.Provisioner;

Identity identity = context.getObjectByName(Identity.class, "YOUR IDENTITY");
Application ad = context.getObjectByName(Application.class,"THE NAME OF YOUR AD APP");
IdentityService is = new IdentityService(context);	
List listOfLinks = is.getLinks(identity, ad);
for(Link eachLink : listOfLinks) {
// you have to define some logic, how you check that this is the correct account 
String nativeIdentity = eachLink.getNativeIdentity();
// if you have found one
AccountRequest accReq = new AccountRequest();	
accReq.setNativeIdentity(eachLink.getNativeIdentity());
accReq.setApplication(eachLink.getApplicationName());
accReq.setOperation(ProvisioningPlan.AccountRequest.Operation.Modify);
accReq.add(new AttributeRequest("memberOf", ProvisioningPlan.Operation.Remove, "THE CN OF THE GROUP"));
ProvisioningPlan plan = new ProvisioningPlan();
plan.setIdentity(identity);
plan.add(accReq);
Provisioner provisioner = new Provisioner(context);
provisioner.execute(plan);
}

jgruendike · June 28, 2023, 3:44pm

Thanks for the help from everyone, this response best answers my question. It is very helpful.

neeme_vool · June 29, 2023, 2:57am

In any case, the disclaimer. Do not use this code as-is. It just demonstrates the main moving parts. The main reason you cant use it directly is that it currently will run the provisioning in the loop. In reality you of course find the correct account (Link - user may have multiple accounts on the same application) and then you should fire the provisioning on correct account only.

Ann_Fonseca_J · July 4, 2023, 6:02am

Also remember that if your group was originally assigned through LCM, you’ll need to clean up the attributeAssignment to avoid triggering re-provisioning.
See e.g. https://community.sailpoint.com/t5/IdentityIQ-Forum/How-to-remove-attributeAssignments-by-leaver-workflow/m-p/54822

system · September 2, 2023, 6:02am

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Getting Errors in the entitlement tab When users access was removed from Active directory IIQ Discussion and Questions identityiq	4	540	October 15, 2023
Active directory entitlement removal ISC Discussion and Questions identity-security-cloud , lifecycle-management	4	505	December 24, 2023
Script to remove a member from a group - Certification Feature ISC Discussion and Questions rules , identity-security-cloud , certifications	7	462	October 21, 2023
Right-Sizing entitlement membership after creating a role ISC Discussion and Questions identity-security-cloud , roles , entitlements	6	178	April 26, 2024
AD Provisioning without AD groups ISC Discussion and Questions identity-security-cloud , provisioning , entitlements	4	209	December 18, 2023

Beanshell code to remove a user from an active directory group?

Related Topics