Share all details related to your problem, including any error messages you may have received.
Good morning!
I’m working on a cleanup effort to remove a ton of cross-domain access. I’m working on building a provisioning plan in a custom rule that I’m told can work, but I’m struggling getting it to work. I may just be a little out of practice, but I’m sure I’m missing something. I was told that I can use object request to achieve the desired results, but I’m hitting a wall. Below is the provisioning plan I have so far. I’ve used something similar to create AD groups, so I’m running off the assumption that just modifying a few lines can also modify the members list of an AD group.
String fullDistinguishedName = "distinguishedNameOfGroup";
ProvisioningPlan plan = new ProvisioningPlan();
List accountReqList = new ArrayList();
ObjectRequest objectReq = new ProvisioningPlan.ObjectRequest();
objectReq.setOp(ObjectOperation.Modify);
objectReq.setApplication("ApplicationName");
objectReq.setNativeIdentity(fullDistinguishedName);
ProvisioningPlan.AttributeRequest attributeReq1 = new AttributeRequest("members",ProvisioningPlan.Operation.Remove,"distinguishedNameOfUser");
objectReq.add(attributeReq1);
accountReqList.add(objectReq);
plan.setObjectRequests(accountReqList);
Provisioner provisioner = new Provisioner(context);
provisioner.setNoLocking(true);
try {
provisioner.execute(provisioner.compile(plan));
} catch (Exception e) {
return e.getMessage();
}
I’m sure I’m missing something simple! I either get a ‘Does not exist’ message in the provisioning transaction, or simply nothing happens. I’ve tried using ‘memberOf’ instead of ‘members’ - same thing.
Thanks for the tip! Unfortunately, I’m not sure our current configuration of IIQ will be able to accomplish this.
A little more context. We have an AD connector for one domain (domainA), and then another connector for another domain (domainB). A user from domainA was added to a group from domainB outside of IIQ. During the account and group aggregations, the group from domainB shows up as a ‘memberOf’ entitlement, but it’s listed under the user’s AD application for domainA. As well, the group displays as the distinguishedName instead of the normal display name.
I’ve tried different iterations of my code snippet, but just can’t seem to get it to work. It looks like a weird kind of ‘gotcha’. The group shows up in the entitlement catalog as an entitlement from domainA connector, but because the group technically doesn’t exist in domainA, when executing the provisioning plan, I get the ‘does not exist’ message.
Unfortunately, I think this cleanup effort will have to be done using AD instead of IIQ, which is not too big of a deal - we were just hoping to keep this effort contained in our IIQ environment. The more we can automate with IIQ, the better.