Best practice for group removal

IdentityIQ (IIQ) IIQ Discussion and Questions
, , ,
1

Which IIQ version are you inquiring about?

8.4p1

Share all details about your problem, including any error messages you may have received.

We have to setup AD groups for different countires (around 100+ groups). the ask is to assign these groups to users belonging to these countries and then remove them if they change country.

Assignment part although looks messy but its straightforward to setup either based on roles using dynamic filters or i can add them to create/update provisioning policy of AD app ( i am open to any better approach for this)

While assignment is done, i wonder what can be the best way to remove the folks from the groups ? i could think of Life cycle event setup based on attribute change , but might not be the best way forward.

2

@rohit_jaiswal1 If you have roles with filters, it takes care of assigning and removing both. For life cycle events, you need two different events to take care of assignment and removals. So better to go with Roles.

Note: Found a fix?Help the community by marking the comment as solution. Feel free to react(:heart:,:+1:, etc.)with an emoji to show your appreciation or message me directly if your problem requires a deeper dive.

3

@rohit_jaiswal1

I would suggest to create roles for the groups that you have based out of country. Write the assignment criteria in the business role and get that role added or removed automatically once the country attribute changes.

4

Hi @rohit_jaiswal1 ,

Based on AD groups structure, these groups can be added into roles.

You can add assignment logic (based on user country)

This will ensure both assignment and removal of roles as per assignment criteria.

5

hi @rohit_jaiswal1

I will go with one of below works smoothly

  1. Use Provisioning Policy / Role logic for assignment
    Keep the logic centralized (dynamic role filters or AD Create/Update policy). This avoids maintaining 100+ rules scattered everywhere.
  2. Handle removal through a Batch Request
    When someone’s country changes, instead of firing removals one by one, you can run a Batch Request that:
  • Queries users whose country no longer matches their assigned country‑specific group(s).
  • Submits removal of all mismatched AD groups in a single batch provisioning request. This keeps the provisioning queue cleaner and avoids race conditions.
  1. Life cycle Event just calls a custom Lifecycle Identity trigger rule.
    No groups are assigned/removed directly in the event— the rule does evaluate the old vs new country
6

but would the role removal ensure the user is removed from the group ?

7

Yes. Once roles are removed, it’ll remove the underlying AD groups as well. If you have already configured a role, please share the xml over chat. Can quickly check and confirm if they are configured properly or not.

8

Yes it would do. @rohit_jaiswal1

9

Hello @rohit_jaiswal1 this is a common use case. You’re already thinking in the right direction.

A better and simpler approach is to use business/birthright roles with dynamic rules.

What you can do:

  • Create one role per country (US, UK, IN, etc.)
  • Add a rule like: type="employee" & country="US"
  • Add the AD group(s) to that role

With this setup in SailPoint IdentityIQ:

  • If user country = US → role is assigned → AD group is added
  • If user country changes → old role is removed → new role is assigned
    → old AD group is removed automatically

So you don’t need to build any separate logic for removal. It happens automatically when the role is removed.

You can do this in provisioning policy, but with many groups it will be messy and hard to maintain.

So overall, roles are the cleanest and easiest way to handle both assignment and removal.

Thanks