Bundle Management Plugin

Hi all,

We plan to implement a bundle (it-role/business-role) management plugin.

Our aim is to expose a bunch of endpoints to allow application owners to update roles in Sailpoint IIQ.

The problem is that we had several incidents in the production environment related to the assignment rule/bundle caching issues.

I have concerns related to IIQ caching in a clustered environment.

• Did someone manage to implement similar functionality successfully?
• Is it possible to update the it-role /business role while the refresh task or aggregation is running?
• Is there a way to force remove the bundle cache from instance-2 when the bundle is updated/removed on IIQ instance-1?

Implementation details;

Basically, we will expose the following endpoints

Environment: Sailpoint IIQ 8.3.1, Java 11, Clustered environment (multiple tasks and UI servers).

Hello @yunusbayhanDH,

My understanding is that IIQ handles its cache smartly. So in my experience, you can of course update the Role during Identity Refresh. Additional the suggestion is to also using Role Propagation, within your plugin, the sample code to create the RoleChangeEvent is below:

RoleUtils.populateRoleChangeEvents(context, role); 

Therefore, we can make sure even if the role has been changed during the identity refresh Role Propagation will evaulate the assignments again on the identity.

And if you want to force decahe any object on the server, then you can also run the code:

context.decache(); // clear all cache
context.decache(role); // decache the role object

But normally, in the code, we always use context.getObjectByName() to retrieve the object from database. That means if any change commited from another server to DB, we can always retrieve the updated object at that point.

Hope this resolve your issue.

Besides, to save some development effort, you may also re-use the api call list in the documenation:

Best regards,
Mike