Delete Garbage Identity from SailPoint

IdentityIQ (IIQ) IIQ Discussion and Questions
,
1

Hello Community,

I am working on uncorrelated accounts issues. We have few Identities, which are like Garbage Identities for SailPoint and we need to remove them in such a way that it doesn’t impact the access in Target applications.

Garbage Identities: These are identities which are starting with some fixed prefix (For example: “_firstviewxyz”). These identities are valid identities in target applications but are not needed in SailPoint.

If anyone have worked on any such cases or have custom rule already created to remove the Identities which are already aggregated in the SailPoint and in a way that it’s access in target application is not impacted . Please suggest.

Thank you!

2

Hi @ArpitaSB,

you have some solutions for managed this cases:

  • Delete from console
  • Delete with rule
  • Do not aggregate those IDNs

for not aggregate you can mark those flags in aggregation task if those account dont come from autoritathive source:

image
image931×168 8.99 KB

else, you can use an aggrergation or a customization rule for exclude this account or not create the identity. I prefer this.

For example you can check the name and if it start with ‘_’ dont create the IDN.

3

Hi @ArpitaSB

You can use a rule type=“ResourceObjectCustomization” on the application definition to not aggregation certain accounts.

image
image729×256 8.59 KB

String exclDN = "CN=_";

String DN = object.getAttribute("distinguishedName");

if(DN != null && DN != ""){if(!(DN.toLowerCase().contains(exclDN.toLowerCase()) {

//ignore all objects

return null;

}

}

return object;
4

Hello @nick01king

Can I use this rule for existing IDs in the SailPoint and remove them/

5

Hello @enistri_devo

we have around 500+ IDS, out of which we have to remove 100-200+ ids and keep the remaining ones. Is there any way to move forward with this?

Delete from console - Just want to understand, how to proceed with this thing? Do we have anything specific ?

Thank you!

6

in iiq console you can use this command for delete one identity:

delete identity bob.smith

or can execute all command from file

-f myCommands.txt

this is the link of console guide:

also, I prefer use the rule, because I can write more complex logic, use logs ecc…

1 Like
7

Hi @ArpitaSB

This rule can be used on the application definition where the accounts are uncorrelated.

Or as mentioned you can use iiq console. However, if these accounts are aggregated again they will be recreated in IdentityIQ.

8

Hi @enistri_devo
Is there any way to like delete multiple accounts in single go which are on same format. Lets say…I have accounts garbage.mail1 and garbage.mail2 and so on… How can I delete them together at same time.

9

the same, you can use a file:

delete link lnk1
delete link lnk2
delete link lnk3
delete link lnk4

and exucute into console or you can create a rule.

10

Hi @y_mohan_krishna ,

Welcome to the community!

There are 2 different ways this can be achieved depending on your preference.

  1. You can use a ResourceObjectCustomization Rule in the Rules tab of the connector that aggregates the accounts into IdentityIQ.

  2. You can create a Run Rule task to iterate over account links for that specific application and remove them from IdentityIQ.

I recommend using the ResourceObjectCustomizationRule as every time an aggregation is run for that application, it will automatically not pull through the account in IdentityIQ.

For example:

if(object != null)
{
  if(object.getAttribute("email").contains("mail1") || object.getAttribute("email").contains("mail2"))
    {
      return null;
    }

  return object;
}

I hope this helps you.

11

Hi @y_mohan_krishna

Get link ids from database where links with name like garbage(or similar) and create a file like below:

delete Link link id1
delete Link link id2

Then run it from iiq console using the following command:

source file path created in before step

Also, better to run a refresh after doing this.

To avoid aggregating them again into sailpoint use the resource customisation rule

Thanks

2 Likes
12

Hi @Sriindugula @enistri_devo
Lets say there are hundreds in similar format… Can we delete them all together in similar format. If yes, Is there any pdf that could help me with this method as I am alien to this method…
Thank You for your response…

13

Hi @y_mohan_krishna

yes you can add all the links id delete commands into one file and use Source command to execute delete of all those links.

unfortunately, i didnt have any pdf of steps handy. but i think below draft steps might help:

  1. execute query SELECT id FROM [identityiq].[spt_link] where display_name like ‘garbage%’ or native_identity like ‘garbage%’
  2. copy the ids from the above query results
  3. built a text file apending delete link before every id (one command in one line) which looks like
    delete link id1
    delete link id2
    .
    .
    delete link idn
  4. open iiq console refere to this document how to use iiq console and execute source commad [https://community.sailpoint.com/t5/IdentityIQ-Product-Guides/8-4-IdentityIQ-Console-Guide/ta-p/240692]
  5. write a resource custimsation rule in all applicable applications (to avoid bringing those links back to sailpoint again) refere previous responses for examples.

hope this helps.

Thanks

1 Like
14

Hi @y_mohan_krishna

If you use a resource ResourceObjectCustomization rule in the application definition (example provided earlier in this post) and then in the application aggregation task select “Detect deleted accounts”.

image
image945×61 1.4 KB

This will delete them all together in a similar format.

Please note: this will also delete any account that no longer exists in the target application from IdentityIQ

15

Hello @Sriindugula ,
Hope you are doing well. We use: delete Identity identity_part to delete all the identities which has identity_part in it. Is there a way through which we can delete an identity whose second letter starts with lets say test…For example we dont want to delete the identity test_user but we have to delete ids like 1test_user, 2test user etc.

Thank you for your response.

16

Hi @ArpitaSB ,
If this is a one time activity you can collect the details of those users either from advanced analytics or database and do a delete identity console command.
But if it is an ongoing issue that can happen in future as well and you need a permanent solution for this. There is a task in IIQ named prune identity task. and there is java class running behind it. You can extend that rule and use similar task to prune identities. This uses an OOTB method called identityCleanser. which cleans up identities based on certain conditions (You can refer the constraints of identityCleanser method in community).
As we are using OOTB task and method. This would be faster than having a run rule task or rule that uses terminator class where you have to iterate through each and every identity using a filter.

17

We can stop aggregating such identities by making use of the customization rule and make these identities orphan which do not have any application linked.

Once they are orphan we can execute the “Prune Identity Cube” task to get this orphan identities removed.

18

Hi if you want to delete links, you can choose below approach.

  1. Write customization rule, and return null for these ids
  2. Use console to delete links, following by running “Prune Identity Cubes” task.

If your requirement is to delete identities or cleaning up orphan identities,

  1. then you can can directly run “Prune Identity Cubes” task. If identity holds any link, move those links to proper identity and then run task. If you just want to take report and then perform deletion, run “prune identity cubes” task with option “Analyze but do not delete”
19

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.