Calling Dynamic Context Url multiple times for Webservice Connector

Hi All,

We have a use case to remove all the security groups assigned to a user in a target application. The API available can remove only one security group at a time:
https://abc.net/rest/abc/securitygroup/v1/groups/**Securitygroupname**/users/**username**

We arre using the Disable account operation and the have configured the BeforeOperationRule within it to extract the username and Securitygroupname coming from the provisioning plan. This works fine if there is only one securitygroup assigned to a user. If the plan has a list of securitygroups, it removes only the first group and exits.

Context URL: /rest/abc/securitygroup/v1/groups/
Method: DELETE
BeforeOperationRule:

import sailpoint.tools.Util;
  import java.util.*;
  import java.util.List;
  import java.util.Arrays;
  import java.util.ArrayList;
  import sailpoint.object.*;
  import sailpoint.object.ProvisioningPlan.AccountRequest;
  import sailpoint.object.ProvisioningPlan.AttributeRequest;
  import org.apache.log4j.Logger;
  import org.apache.log4j.Level;
  Logger log = Logger.getLogger("rule.DeleteDefaultGroupsBeforeRule");
  log.setLevel(Level.DEBUG);

  log.debug("Inside the Disable Operation 2");
  //Rule used to remove the group to update the requestEndPoint URL with groupName
  public static Object getAttributeRequestValue(AccountRequest acctReq, String attribute) {
    if ( acctReq != null ) {
      AttributeRequest attrReq = acctReq.getAttributeRequest(attribute);
      log.debug("attrReq::"+attrReq);
      if ( attrReq != null ) {
        List groupList = new ArrayList();
        List groups = new ArrayList();
        groups = attrReq.getValue();
        log.debug("groups:"+groups);
        if(groups.size() > 1){
          groupList = attrReq.getValue();
        }
        else if(groups.size() == 1){
          groupList.add(attrReq.getValue());
        }
        log.debug("groupList:"+groupList);
        return groupList;
      }
    }
    return null;
  }
  public static String groupNameValue(String groupName){
    String[] couple = groupName.split(",");
    for(int i =0; i < couple.length ; i++) {
      String[] items =couple[i].split(":");
      String groupName1= items[1]; //Value
      groupName1= groupName1.replaceAll("\"", "");
      return groupName1;
    }
    return groupName;
  }
  if ( provisioningPlan != null ) {
    log.debug("*** \n The Provisioning Plan being passed in = \n***\n" + provisioningPlan.toXml() + "\n**");
    AccountRequest account = provisioningPlan.getIIQAccountRequest();
    if (account != null ) {
      if (AccountRequest.Operation.Disable.equals(account.getOperation())) {
        String nativeIdentity = account.getNativeIdentity();
        List groupNameList = getAttributeRequestValue(account, "groups");
        log.debug("groupNameList:"+groupNameList);
        for(String groupName : groupNameList){
          log.debug("groupName::"+groupName);
          String exactGroupName=groupNameValue(groupName);
          String lastFullUrl=exactGroupName+"/users/"+nativeIdentity;
          String finalUrl = requestEndPoint.getFullUrl()+lastFullUrl;	
          log.debug("*** finalUrl****** "+finalUrl);					
          requestEndPoint.setFullUrl(finalUrl);
          log.debug("requestEndPoint:"+requestEndPoint);
          return requestEndPoint;			
        }	
      }
    }
  }
  log.debug("*** requestEndPoint7865" +requestEndPoint);
  return requestEndPoint;

The Provisioning Plan being passed to the rule:

 The Provisioning Plan being passed in = 
***
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE ProvisioningPlan PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<ProvisioningPlan nativeIdentity="username" targetIntegration="APPName" trackingId="9a45e297b2ed4276b71361e7ea0cf569">
  <AccountRequest application="APPName" nativeIdentity="username" op="Disable">
    <AttributeRequest name="groups" op="Remove">
      <Value>
        <List>
          <String>{"displayName":"CONNALLR","id":"pc:6934","type":"Group","uri":"/admin/v1/groups/pc:6934"}</String>
          <String>{"displayName":"CONNEXLO","id":"pc:6935","type":"Group","uri":"/admin/v1/groups/pc:6935"}</String>
        </List>
      </Value>
    </AttributeRequest>
  </AccountRequest>
</ProvisioningPlan>

From the above code only the securitygroup CONNALLR is removed from target. Any suggestions how to make this work would be helpful.

Hi,

Thank you for posting and welcome to Developer Forum.

I do not have much understanding of IIQ but I can answer this in reference to what we did in such a situation in IdentityNow and I feel the same should be applicable here.

When you set EndPoint in request URL, it gets set for only one time and for every entitlement, the same endpoint is called.

To overcome this scenario what we did was we used the WebServicesClient class to remove all entitlements in the rule itself and the last one we set as full URL in RequestEndPoint. That handled the removal pretty slick.

Thanks Animesh for your response.

So we should try calling the API directly from the BeforeOperationRule using WebServicesClient and the last entitlement should be the requestEndPoint return. We will try running that.

Would you have any reference code of calling the API within the BeforeOperationRule?

try{
          Map args = new HashMap();
          args.put(WebServicesClient.ARG_URL, finalurl);
          restClient = new WebServicesClient();
          restClient.configure(args);
          Map header = new HashMap();
          header = requestEndPoint.getHeader();
          List<String> allowedStatuses = new ArrayList();
          allowedStatuses.add("2**");
          String response = restClient.executeDelete(finalurl, header, allowedStatuses);
          log.info("response: " + response);
      } 
catch (Exception e) {
          log.error(e.getMessage(), e);
      }

Thanks Animesh, the code worked perfectly

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.