Hello,
We have IIQ 8.4 p1.
For some old terminated users, entitlements section don’t have roles or entitlements.
However when i search for the user via identity warehouse, seeing some roles in the ‘Assigned Role Summary’. Can you please let me know how can we get these roles cleanup done? Should i be using provisioning plan/ Account request / Attribute request and execute the plan ? If you have done something similar for business role, can you share your inputs ?
Thanks in advance!
Have you tried to remove the roles using APIs (method available on Identity object) that may have caused the issue? You should use provisioning plan to add or remove roles.
You can try to executing the plan for a particular user and refresh user identity to see if it resolves the issue.
Thanks, Sanjeev. Since this is not an account on the application, can you show me how to build the plan to remove roles from the identity ? I was thinking remove(Bundle bundle) method in identity will do that but it didn’t 
Here is an example code to remove role using a plan
ProvisioningPlan plan = new ProvisioningPlan();
plan.setIdentity(identityObj);
ProvisioningPlan.AccountRequest accReq = new ProvisioningPlan.AccountRequest();
accReq.setApplication("IIQ");
accReq.setNativeIdentity(identityName);
accReq.setOperation(ProvisioningPlan.AccountRequest.Operation.Modify);
accReq.add(new ProvisioningPlan.AttributeRequest("assignedRoles",ProvisioningPlan.Operation.Remove,"<YOUR ROLE NAME>"));
plan.add(accReq);
But I assume you would not want to remove role one by one using name and the following code gets the role list present in Assigned Role Summary to create a plan to remove role
Identity identityObj =context.getObjectByName(Identity.class,identityName);
String roleSummaryCSV = identityObj.getAssignedRoleSummary();
if(roleSummaryCSV != null){
List roleList = Util.csvToList(roleSummaryCSV);
ProvisioningPlan plan = new ProvisioningPlan();
plan.setIdentity(identityObj);
ProvisioningPlan.AccountRequest accReq = new ProvisioningPlan.AccountRequest();
accReq.setApplication("IIQ");
accReq.setNativeIdentity(identityName);
accReq.setOperation(ProvisioningPlan.AccountRequest.Operation.Modify);
accReq.add(new ProvisioningPlan.AttributeRequest("assignedRoles",ProvisioningPlan.Operation.Remove,roleList));
plan.add(accReq);
}
Hi Sanjeev,
Thanks for the detailed code snippet. I have tried using it for removing just one role but its’ not removing the role. Can you review below one and let me know your thoughts. Am i missing anything?
Identity identity = (Identity) it.next();
Provisioner p = new Provisioner(context);
ProvisioningProject project = new ProvisioningProject();
ProvisioningPlan plan = new ProvisioningPlan();
p.setArgument(“noFiltering”, true);
plan.setIdentity(identity);
ProvisioningPlan.AccountRequest accReq = new ProvisioningPlan.AccountRequest();
accReq.setApplication(“IIQ”);
accReq.setNativeIdentity(identity.getName());
accReq.setOperation(ProvisioningPlan.AccountRequest.Operation.Modify);
accReq.add(new ProvisioningPlan.AttributeRequest(“assignedRoles”,ProvisioningPlan.Operation.Remove,“SAP - ReadOnly”));
plan.add(accReq);
project = p.compile(plan);
p.execute(plan);
Can you print/log the project before executing it and see what you see in the project. Also in your case try getting list of assigned roles from identity object and log/print it to check if you see this role in the list or not.
@ramthetribo did you tried with refreshing those identity with this checked “refresh role metadata for each identity” ?
Hello @SanjeevIAM It worked with when i got roles via Assigned role summary and passed it to the code. Thank you very much for your help!
@pravin_ranjan Thanks for the suggestion. Just FYI: Just the refresh didn’t work. Please see my other post. When i fetched assigned role summary to passed it to the Attribute request and it worked as Sanjeev said.