Iterate through the active accounts and create a plan for account diablement. Pass this plan to the LCM Provisioning workflow and launch that workflow. This will ensure an IdentityRequest and necessary audits are included along with the provisioning.
Instead of creating a plan and launching a workflow, I have written a scrip for bulk disablement of active accounts on inactive identities. This is a one time activity here is my code. Can you assist me, how can I add logging to my code?
import sailpoint.api.SailPointContext;
import sailpoint.api.SailPointFactory;
import sailpoint.object.Identity;
import sailpoint.object.Application;
import sailpoint.object.Link;
import sailpoint.object.Filter;
import sailpoint.object.QueryOptions;
import sailpoint.object.ProvisioningPlan;
import sailpoint.object.ProvisioningPlan.AccountRequest;
import sailpoint.api.Provisioner;
import java.util.List;
import java.lang.Thread;
SailPointContext context = SailPointFactory.getCurrentContext();
String targetApplication = "123XYZ"; // Application name filter
// Fetch application object
Application app = context.getObject(Application.class, targetApplication);
if (app == null) {
System.out.println("Application not found: " + targetApplication);
return;
}
// Query to fetch all application accounts
QueryOptions qo = new QueryOptions();
qo.addFilter(Filter.eq("application", app)); // Get only application accounts
List allAccounts = context.getObjects(Link.class, qo);
if (allAccounts.isEmpty()) {
System.out.println("No active accounts found for application: " + targetApplication);
} else {
System.out.println("Processing " + allAccounts.size() + " active accounts...");
for (Link link : allAccounts) {
Identity identity = link.getIdentity();
if (identity != null && identity.isInactive() && !link.isDisabled()) {
System.out.println("Processing inactive identity: " + identity.getName());
// Disable the active account
link.setAttribute("Status", "Inactive");
link.setAttribute("IIQDisabled", true);
context.saveObject(link);
context.commitTransaction();
System.out.println("Disabled account: " + link.getDisplayName() + " for identity: " + identity.getName());
// ******** Trigger Provisioning Using IdentityRequest ******** //
ProvisioningPlan plan = new ProvisioningPlan();
plan.setIdentity(identity);
AccountRequest a = new AccountRequest();
a.setApplication(targetApplication);
a.setOperation(AccountRequest.Operation.Disable);
a.setNativeIdentity(link.getNativeIdentity());
plan.add(a);
Provisioner p = new Provisioner(context);
p.compile(plan);
p.execute();
System.out.println("Provisioning initiated for: " + link.getDisplayName());
// Introduce a 5-second delay after processing each inactive identity
try {
System.out.println("Waiting 5 seconds before processing the next identity...");
Thread.sleep(5000);
} catch (InterruptedException e) {
System.err.println("Sleep interrupted: " + e.getMessage());
}
}
}
}
There are many approches here TBH and it should be decided based on the needs, for ex. if you want a preventive action (with automation) it’s different than if you need to have tracking and compliance, different than batch processing or bulk applying…
Maybe you will use all of them it’s up to you and your needs, here you are the 3 approaches that they are at a top of my head:
If automation is a priority, go with Lifecycle Event.
If batch processing is preferred, use a Scheduled Task.
If compliance tracking is needed, use Policy-Based Enforcement.