Disable Account / Lock Account

Hi, I’m working on IdentityIQ 8.5 and trying to control the account status for a connected application using a ResourceObjectCustomization rule.

image892×199 8.69 KB

image818×227 14 KB

The source application has an attribute enabled on the account.

• When enabled = true, the account should be active.

• When enabled is anything else (false/null), the account should be disabled.

I created a customization rule like this (simplified):

import sailpoint.object.ResourceObject;
import sailpoint.connector.Connector;


if (object == null || object.getObjectType() == null) {
    return object;
}


if (!Connector.TYPE_ACCOUNT.equals(object.getObjectType())) {
    return object;
}


Object rawEnabled = object.getAttribute("enabled");
boolean disabled = true; 

if (rawEnabled != null) {
    String val = rawEnabled.toString().trim().toLowerCase();
    if ("true".equals(val)) {
        disabled = false; 
    } else {
        disabled = true; 
    }
}


object.setAttribute("IIQDisabled", Boolean.valueOf(disabled));


if (log != null) {
    log.debug("Rule-Account-Status-IIQDisabled: enabled=" + rawEnabled + ", IIQDisabled=" + disabled);
}


return object;

• What could I be missing?

  • Do I need to set any additional attributes besides IIQDisabled?

  • Is there a specific place or rule type where IIQDisabled must be set for it to take effect?

I see you have logs in your rule, could you share those?

Dear @cleber_pcarv

Did you get chance to look at below Wiki article which will help you understand the active and inactive accounts and identities and how to set it through rule, you will find best practices.

Understanding active and inactive accounts and identities: IIQDisabled - Compass

Refer the below relevant topic solutions:

Set IIQ disabled to true through rule - IdentityIQ (IIQ) / IIQ Discussion and Questions - SailPoint Developer Community

Disabled application accounts enabled back after aggregation - IdentityIQ (IIQ) / IIQ Discussion and Questions - SailPoint Developer Community

Account Status (IIQDisabled Attribute) For Delimited File Source - Identity Security Cloud (ISC) / ISC Discussion and Questions - SailPoint Developer Community

@cleber_pcarv May I know what type of connector you are using?.

Thanks,

PVR

Web service connector

Use below and simole code , which works in my local for webservices connector

import sailpoint.object.ResourceObject;
import sailpoint.connector.Connector;

log.error("Entered Customisation Rule");



String enabled = object.getString("enabled");

// Set IIQDisabled and Status based on enabled value
if ("true".equalsIgnoreCase(enabled)) {
    object.setAttribute("IIQDisabled", Boolean.FALSE);
    object.setAttribute("Status", "Active");
} else {
    object.setAttribute("IIQDisabled", Boolean.TRUE);
    object.setAttribute("Status", "Inactive");
}

log.error("Account Status: enabled=" + enabled + ", IIQDisabled=" + object.getAttribute("IIQDisabled"));

return object;

@cleber_pcarv In the web service connector, you do not need to write a customization rule to set the account’s disabled and enabled status. SailPoint IdentityIQ provides a configured attribute, you just need to configure the value to set the Schema Attribute for Account Enable status : enabled=true or false

image1712×375 22.2 KB

I hope it will work!.

Thanks,

PVR

@cleber_pcarv Try to use the configuration as much as possible as this reduce the complexity on your implementation. In your usecase, try to utilize the options available in connector configuration. In most of the cases, it is very much working as expected. So please try it out.

If you want to stick to the rule, you might want to share your original rule (seems you shared a simplified version, could be possible that in your original rule, we have something extra) and the logs for further review.

Note: Found a fix? Help the community by marking the comment as solution. Feel free to react(, , etc.) with an emoji to show your appreciation or message me directly if your problem requires a deeper dive.