We are using " Oracle EPM Cloud - FCCS SAAS" connector.
The connector has one limitation that when we try to revoke the last IDCS group then it throws below error. [“Request to remove all assigned IDCS entitlements of the user was rejected”,“because this will result in deleting the user. \u0027Delete\u0027 the user to achieve the same behaviour.”]
In certain scenarios, we want to remove their full oracle EPM access. So, we thought of writing a BeforeProvisioning Rule to ‘delete’ the account while removing the last entitlement.
The question that I have is how to achieve this? Which class in ‘sailpoint.object’ package returns entitlements associated to an account because we want to check the count of entitlements to trigger delete operation.
Thank you @KRM7 and @jesvin90 for replying.
The delete operation should happen for 2 conditions in the beforeProvisioningRule.
When user is terminated
When the last group is removed
My question is if I use “The Entitlement Cardinality Update Triggers”, how do I exactly check the condition at line 48 and 56?
Or “update triggers” can be used only with “Services Standard BeforeProvisioning Rule”
You can add this below config, under Source Config → connectorAttributes, You do not need to touch SSBP Rule
Event config1 deletes account when last entitlement (groups, you need to change this to your entitlement attribute name)
Event config2 deletes account when user LCS changes to inactive and disable operation on account which you might have configured already under Identity Profile → Provisioning → Inactive–> Sources to Disable
I used 1st event config many times, not the 2nd one yet, test it out.
