Disabled application accounts enabled back after aggregation

himabindu306 · February 11, 2025, 12:09pm

8.4

Hi, I have disabled JDBC accounts through leaver. But once I ran the aggregation for the application, the disabled accounts are showing as enabled (in green). Any help where things are wrong?

enistri_devo · February 11, 2025, 12:12pm

Hi @himabindu306,

have you configured a Provision rule where you update the database?

kolipakularaviturnkey · February 12, 2025, 7:01am

Have you verified whether it is disabling accounts on JDBC?

officialamitguptaa · February 12, 2025, 7:32am

@himabindu306 -

You need to create a JDBCBuildMap rule to handle the same. If the accountStatus is disabled then you need to set the IIQDisabled Flag to true which let’s IIQ to understand that’s the account is disabled.
Below is the sample code.

import sailpoint.connector.JDBCConnector;
import java.util.Map;

Map map = JDBCConnector.buildMapFromResultSet(result);
String accountStatus = map.get("accountStatus");
if (null != accountState && accountState.equalsIgnoreCase("disabled")){
     map.put("IIQDisabled",true);
}
return map;

In the above code accountStatus is holding the status of the account in the target application whether the account is disabled or enabled. When the accountStatus is disabled it is setting the IIQDisabled flag as True.

Just follow the steps and you would be able to solve the issue.

Thank you!

himabindu306 · February 12, 2025, 10:54am

Hi Emanuuele,

Yes, I have written provision rule for create and disable operations.

himabindu306 · February 12, 2025, 10:54am

Hi Ravi,

It is disabling the user in the DB

enistri_devo · February 12, 2025, 11:47am

ok, and do you set iiqDisable on account into the customization rule when the account is disable?

himabindu306 · February 12, 2025, 12:19pm

No… I have just written global provision rule and below is the code for disable operation:
if ( AccountRequest.Operation.Disable.equals( account.getOperation() ) )
{

	        	  statement = connection.prepareStatement( "update EBS set disabled=true where employeeNumber=?" );
		            
	        	  statement.setString ( 1,account.getNativeIdentity());
		         
		            statement.executeUpdate();

		            result.setStatus( ProvisioningResult.STATUS_COMMITTED );

enistri_devo · February 12, 2025, 12:23pm

you must managed the iiqDisable of account manually into the customization rule for JDBC applications and if you make the same into the creation if the apps is a auth source

iamksatish · February 12, 2025, 1:09pm

@himabindu306
Please make sure you are setting iiqDisabled as true in the customization rule based on the disabled column condition in the resource object

this way account will be marked disabled after aggregation

In your case

if(object!=null){

if(disabledflag instanceof Boolean){
            boolean boolValue = (Boolean) disabledflag;
            if (boolValue) {
			object.put("iiqDisabled",true);
            } else {
			object.put("iiqDisabled",false);
            }
        } else if (disabledflag instanceof String) {
            String stringValue = (String) disabledflag;
            if (stringValue.equalsIgnoreCase("true")) {
			object.put("iiqDisabled",true);
            } else  {
			object.put("iiqDisabled",false);
            } 
        }
		return object;
		
		
		


}

system · April 13, 2025, 1:10pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.