Share all details related to your problem, including any error messages you may have received.
We have webservice connector application , using this application we are doing deprovisioning operation. We don’t have any entitlement regarding that applications. We have one IT role(detected only) which is holding Active Directory group as entitlement, our requirement is when we trigger certification for that IT role, it should remove the AD group as well as user from the webservice application. for that we have added policies also, but it is not working and not triggering the disable operation in webservice connector application, Could any one please help us on this issue.
That’s a tricky one - I mean as long as you don’t have any provisioning triggered to the Webservice application - it will do nothing.
There are 2 options how you can solve it
Add into the IT role some mapping to the webservice application - even eg. Active=true. Then in before provisioning rule for this application you can translate change of this attribute into disable operation.
In before (or after) provisioning rule for AD - create new provisioning plan to remove Webservice application account when operation on AD side is removal of the user from certain group.
Advantage of first solution is that you use OoTB features of IIQ - disadvantage is you have to change the role definition.
Advantage of second solution is that it’s transparent for end users (nothing is visible). Disadvantage is that you have to handle provisioning manualy in the provisioning rule for AD.