Hi,
We have an application which is integrated with Rest webservice. We configured remove role method to delete the roles when it is revoked. When we tried via postman role is getting deleted but via sailpoint UI role is not getting deleted. I checked the configuration and everything is looking good.
Any idea what needs to be done in this case. Do we need to write before provisoning rule for this. If so, can someone share a sample before provisioning rule to delete the role
Thanks.
When you click Revoke in the ISC UI, SailPoint creates an ‘AccountRequest’ with an attribute operation set to REMOVE. If your Web Services HTTP operation does not parse the multi-layered AttributeRequest value correctly, the variable substitution fails, and the endpoint call is either malformed or skipped entirely. reference: Before Provisioning Rule | SailPoint Developer Community
Hi @PreethiJohnPeter ,
Could you please requirement clearly
Please share the operation how you have configured in SailPoint, and how response in postman looks like.
Hi Satish,
We have an delete operation which we use to delete the role form user when its gettign revoked.
We will be passing roleuserid(roleid+userid which will be unique value for all users+role combination) in delete operation.
When I tried via postman to delete a role from user, its gettign deleted. But when I try via sailpoint role is not getting deleted but no error. So I am trying to write a before provisioning rule to do the same as follow.
Does this rule works or do we need to modify
import sailpoint.object.;
import sailpoint.tools.;
import java.util.*;
public class BeforeProvisioning_DeleteRole_REST {
public Object run(Map context) throws Exception {
ProvisioningPlan plan = (ProvisioningPlan) context.get(“plan”);
if (plan == null) {
return null;
}
List accountRequests = plan.getAccountRequests();
if (accountRequests == null) {
return plan;
}
for (AccountRequest acctReq : accountRequests) {
if (!ProvisioningPlan.Operation.Delete.equals(acctReq.getOperation())) {
continue;
}
log.debug("Processing DELETE operation for account: " + acctReq.getNativeIdentity());
List attrRequests = acctReq.getAttributeRequests();
if (attrRequests == null) continue;
Iterator attrIterator = attrRequests.iterator();
while (attrIterator.hasNext()) {
AttributeRequest attrReq = attrIterator.next();
if (“roles”.equalsIgnoreCase(attrReq.getName())
|| “groups”.equalsIgnoreCase(attrReq.getName())) {
Object value = attrReq.getValue();
if (value instanceof List) {
List roles = (List) value;
Iterator roleIterator = roles.iterator();
while (roleIterator.hasNext()) {
Object roleObj = roleIterator.next();
String role = String.valueOf(roleObj);
if (!role.isNull()) {
log.debug("Deleting role via REST deleteRole method: " + role);
} else {
roleIterator.remove();
}
}
if (roles.isEmpty()) {
attrIterator.remove();
} else {
attrReq.setValue(roles);
}
}
else if (value instanceof String) {
String role = (String) value;
if (!role.isNull()) {
log.debug("Blocking delete for role: " + role);
attrIterator.remove();
} else {
log.debug("Allowing delete for role: " + role);
}
}
}
}
if (acctReq.getAttributeRequests() == null
|| acctReq.getAttributeRequests().isEmpty()) {
log.debug(“No valid delete operations left - removing account request”);
accountRequests.remove(acctReq);
break;
}
}
return plan;
This is a web service integration right, are you using this before provisioning rule or before operation rule for delete operation? Can you confirm
Before Provisioning rule. SO that it modifies the plan before it hits the target
We have an delete operation which we use to delete the role form user when its gettign revoked.
what does this statement means, are you deleting the source account of the user?
When manager revokes an user permission during UAR, automatically user permission (role)needs to be deleted/removed. When user doesnt have any role in target, application team takes care to disable the account