Converting Detected Roles to Assigned Roles

IdentityIQ (IIQ) IIQ Discussion and Questions
1

Hi Team,

We went through a upgrade process from 8.1 to 8.4. And it was a fresh installation of 8.4 in AWS. After which we aggregated the users entitlement, on which the Roles got detected, which was assigned in 8.1. Is their a way to convert this detected roles to assigned roles ?

Thanks
Arijit

2

Hi @,

you can write a rule where you remove the detected role and reassign it.

You can do it with those commands:

	removeDetectedRole(Bundle role) 
	setAssignedRoles(java.util.List<Bundle> roles)

you can iterate on identities those steps:

  1. save a list of all detected roles
  2. remove detected roles
  3. reassing the list like assigned roles
3

Hi @enistri_devo Thanks for the reply.

Will your solution provision the roles again to target application ? or it is local to iiq only ?

4

Welcome back to the community!

Typically detected roles are IT Roles and assigned roles are Business roles. Why do you want to do this? It sounds like what you want to do is match up your Business roles with the required roles for each IT Role. This is possible, but you have to be careful because some combinations will automatically assign multiple Business roles to the identity if more than one criteria matches. I am searching for how I have done this in the past, I will update.

5

usually not, because it hose role are detected means SP are detected on application.

6

Hi @keithsmith

The roles we have are custom roles, below is screen shot. We wanted to do this bcs in 8.1 it was assigned, through access request. But in 8.4 it is detected, bcs we did not upgrade the database from 8.1 to 8.4. Instead we did a fresh installation of 8.4 and aggregated the targeted application accounts and ran refresh task, which made it detected. Now the concern raised by client is during Role Membership Certification, where their would be an issue between detected and assigned roles.

image
image1112×809 25.3 KB

7

My apologies there isn’t a setting that would automatically assign a Business role based on an IT role being detected. But upon further thought why wouldn’t your assignment rules evaluate on Refresh? That should assign the Business roles. If your Business roles don’t have assignment rules and were assigned by a request/approval process, and you didn’t do an in place upgrade, then you will have to do a bulk request of the business roles, which is super simple.

Did you bring over your 8.1 database or create a new database?

8

:slight_smile: I was composing my response while you were responding. In this case I would do the following:

  1. Clone your LCM Provisioning workflow and call it something like xyz Provisioning No Approvals where xyz is the prefix you use for all of your custom assets (rules, etc)
  2. In that new workflow set the notification schemes all to none and the approval scheme to none.
  3. Set that new workflow as the Batch Request Access and Batch Manage Accounts workflow in the Lifecycle Manager, Business Processes tab.
  4. Create csv files to re-request all of the roles - very easy to do. Send them in batches of 20 or so. It will properly assign the Business roles and leave a trace for future removals. There just won’t be any record of approvals. Then the certifications will work properly.
9

Just had a thought. Seems maybe you are doing a single level role model and not doing Business roles / IT Roles. My recommendation still stands, but the idea of just creating a rule that adds any detected role into assigned roles - I suspect that also will work, but I would try it on a single user first (just hand edit the field in the debugger) and then check to see if the role can be revoked with the Access Request page.

10

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.