Before Provisioning Rule Operations - How to remove plan or account request


We have a connected source which we provision to using IDN birthright roles. The requirement is to not remove any entitlements from the source account after creation. So basically if user doesn’t meet role criteria anymore we need to stop IDN from triggering the “Modify Account” and “Remove Entitlement” events. We cannot use the LCS(instead of roles) for entitlement assignment as we have additional role membership criteria.

We thought about using a before provisioning rule to remove the attribute request from the Provisioning plan. Is this something the rule supports?

import sailpoint.object.*;
import sailpoint.object.ProvisioningPlan.AccountRequest;
import sailpoint.object.ProvisioningPlan.AccountRequest.Operation;
import sailpoint.object.ProvisioningPlan.AttributeRequest;
import sailpoint.object.ProvisioningPlan;
import sailpoint.object.ProvisioningPlan.Operation;

for ( AccountRequest accountRequest : plan.getAccountRequests() )
    if ( accountRequest.getOp().equals( ProvisioningPlan.ObjectOperation.Modify ) )
        AttributeRequest roleAttrReq = accountRequest.getAttributeRequest("group");
        if(roleAttrReq != null && roleAttrReq.getValue() != null) 

Or should we use “plan.remove(accountRequest);” to just remove the entire account request from the plan?

Is there a document available which lists the methods available for plan, account request class etc?

Are there any other ways to replace the provisioning plan to do nothing in case of modify account/remove entitlement operation?

@colin_mckibben / @hari_patel / @chirag_patel please help get some insight into before prov rule operation/documentation(javadoc) for the class please.

Thank you!

This seems flawed design. I do not know any method to stop provisioning in before provisioning rule but even if it would be possible in before prov rule, the role deprovisioning would get triggered on each refresh which is not ideal design. This is going to trigger deprovisioning quite often and over time it is going to pile up.

The user is already removed from the role on the first deprov event, so the deprovisoning doesn’t get retried on each refresh.

Hi @sharvari , did you ever find a solution for this “cancellation” of the operation via a Before Provisioning rule?

I have a similar situation where accounts in source A should never be created by IDN, and should instead be created in source B by IDN, and synced to source A via a process internal to the vendor’s 2 products.

Deleting our CREATE provisioning policy has at least made the creation attempts fail, but we would rather skip the attempts entirely and not have these benign errors.

No, unfortunately we cannot stop the event creation, we can just modify/fail it.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.