Disable Provisioning for Certifications

Which IIQ version are you inquiring about?

8.3p3

Windows/Linux servers which require recertification of user accounts added to the host. When a certifier revokes an account, we don’t want the account removed automatically. We want to manage removals through CHG controls. As a result, we need to validate if we can disable provisioning only for these certifications without removing provisioning strings from the application level.

In SailPoint we refer the action taken by the certifier however the revoke operation we will perform through chg control.
Please suggest for a possible solutions.

You can write a logic in before provisioning rule to handle your scenario. Below is example

Attributes attributes = plan.getArguments();
List requestList = plan.getAccountRequests();
if(null != requestList && !requestList.isEmpty()){
for(AccountRequest request : requestList){
  if(AccountRequest.Operation.Delete.equals(request.getOperation())){
     if(null != attributes && "Certification".equals(attributes.getString("source"))){
      //write your own logic to perform through chg control
   }
  }
 }
}
2 Likes

Hi @pradyutdas1984 ,

I have created a nice document for this. You can go through the document. Please let me know by replying to this message if you face any issues.

@bhanuprakashkuruva , thanks for your suggestion, I have reviewed the atricle. My used case is bit different.
In user access recertification, the certifier revoke the user access during the certification cycle and sign off, this process remains OOTB however we don’t want the revoke operation can happen in target. Once certifier sign off the certification camping basis on the action taken (revocation) for those specific users, we want to open a ServiceNow Change ticket and then remove those users from target either through manual transaction or batch after the Change ticket approved. I am trying below

import sailpoint.object.Identity;
import sailpoint.object.Certification;
import sailpoint.object.CertificationItem;
import sailpoint.object.ProvisioningPlan;
import sailpoint.object.ProvisioningPlan.AccountRequest;
import sailpoint.api.SailPointContext;
import sailpoint.api.SailPointFactory;

public class CertificationSkipProvisioning {

public void skipProvisioningOnRevoke(Certification certification, Identity certifier) {
    SailPointContext context = SailPointFactory.getCurrentContext();
    
    
    CertificationItem[] items = certification.getItems();
    
    for (CertificationItem item : items) {
        
        if (item.getCertifier().equals(certifier) && item.isRevoke()) {
            
            skipProvisioning(item, context);
        }
    }
}

private void skipProvisioning(CertificationItem item, SailPointContext context) {
    
    AccountRequest accountRequest = item.getAccountRequest();
    
    if (accountRequest != null) {
       
        ProvisioningPlan provisioningPlan = accountRequest.getProvisioningPlan();
        
        if (provisioningPlan != null) {
            
            provisioningPlan.setSkipProvisioning(true);
            
            
            context.saveObject(provisioningPlan);
            context.commitTransaction();
        }
    }
}

}

Thanks @vedeepak , for the heads up

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.