As we are all aware, in the Application Owner Certification, when we revoke the account, the account will be deleted in the native application.

But if you have a requirement that you want to disable the account instead of delete it, then you can try with the entry called (<ProvisioningConfig deleteToDisable=“true”/) in the application (by adding it to the application from the Debug page). But that may create an issue with the default behavior of deleting accounts (in Manage Accounts).

image422×598 19.4 KB

So for that, without disturbing the OOTB functionality of Manage Accounts (Delete), what we can do is write a simple code in the before-provisioning rule of the application that checks if the request (Source) is a Certification, Delete request and then disables the account instead of deleting it. Here is the code for that.

Code:

String userId = "";
  List accRequests = plan.getAccountRequests( application.getName() );
  for ( AccountRequest accReq : accRequests )
  {
    if(accReq.getOp() == ObjectOperation.Delete &&  null != plan.getSource() && plan.getSource().equals("Certification") && null != accReq.getNativeIdentity() )
    {
      plan.remove(accReq);

      userId = accReq.getNativeIdentity();
      AccountRequest disableActReq = new AccountRequest();
      disableActReq.setOperation(AccountRequest.Operation.Disable);
      disableActReq.setApplication("AppName");
      disableActReq.setNativeIdentity(userId);
      log.error("Added the account request for disable: ");

      plan.add(disableActReq);
    }

  }

Hi @bhanuprakashkuruva, Appreciate your efforts!

Thank you @VinodC.

Thanks for Sharing

This is helpful.
Did you check the option adding flag deleteToDisable ?

<ProvisioningConfig deleteToDisable=“true”/>

Hi @vishal_kejriwal1 ,

Yes, I have checked it. The problem with this is that the default behavior of deleting an account from manage account will not be working. Every time a disabled operation is performed, whenever a delete provisioning request comes to the application, it is changing the usefulness of the OOTP operation, which is needed many times.

Yes true .
But we need to be careful with adding condition into before provisioning rule as the condition will be check for each and every r transaction for the application.

Yeah, you are right. That’s why we are checking conditions that if plan’s (request) source is Certification and delete operation only, then do this.

This is helpful. I will try to execute the same to observe the behaviour.

Thank you, Vivek. You can try.

Adding (ProvisioningConfig deleteToDisable=“true”) on application configuration will affect Leaver account deletion ?

Yes, anything comes to application for Delete account request, it will impact.

Thank you for your reply. I implement this rule, its deleting the certification plan but its not adding any plan to disable. Account stays Active even after revoking the access.

String userId = “”;
List<AccountRequest> accRequests = plan.getAccountRequests(application.getName());

for (AccountRequest accReq : accRequests) {
if (accReq.getOp() == ObjectOperation.Delete
&& plan.getSource() != null
&& plan.getSource().equals(“Certification”)
&& accReq.getNativeIdentity() != null) {

    plan.remove(accReq);

    userId = accReq.getNativeIdentity();
    AccountRequest disableActReq = new AccountRequest();
    disableActReq.setOperation(AccountRequest.Operation.Disable);
    disableActReq.setApplication("Active Directory");
    disableActReq.setNativeIdentity(userId);
    log.error("Added the account request for disable: " + userId);

    plan.add(disableActReq);
}

}

You can put some loggers and check how it’s executing step by step in before provisioning rule. So that you will understand where it’s stoping it. The above code I gave is working code only. All you just have to execute it properly and check by adding some loggers statements.