Disabling serviceNow application account not removing the entitlements

mayurimenkar · May 3, 2024, 10:37am

Which IIQ version are you inquiring about?

Version 8.3

Share all details related to your problem, including any error messages you may have received.

Hi All, in current implementation we are removing all roles adn entittlments and disabling applicaiton accounts when user leaves the organization. However it is not working sa expected in case of serviceNow application. The account is getting disabled but the entitlements(groups) can still be seen as provisioned to the user in IIQ.
Any specifix reason for this. How can we remove those groups in target.
Thanks!

kjakubiak · May 3, 2024, 10:59am

Hi Mayuri,
IIQ by default when executing DISABLE operation - disables account, it’s not removing anything from it. The easiest way to do that would be to write BeforeProvisioningRule where in case of DISABLE operation you add MODIFY operation to remove entitlements.

The rule would look similar to this:

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Rule PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<Rule language="beanshell" name="RemoveEntitlementsOnDisable" type="BeforeProvisioning">
  <Source>
  import sailpoint.object.ProvisioningPlan;
	import sailpoint.object.ProvisioningPlan.ObjectRequest;
	import sailpoint.object.ProvisioningPlan.ObjectOperation;
	import sailpoint.object.ProvisioningPlan.AttributeRequest;
	import sailpoint.object.ProvisioningPlan.Operation;
	String entitlementAttribureName = "role";
	List newAccountRequests = new ArrayList();
	List accountRequests = plan.getAccountRequests();

	for(AccountRequest accountRequest : accountRequests) {
 	 if(accountRequest.getOperations().equals(ProvisioningPlan.AccountRequest.DISABLE)) {
      AccountRequest newAccountRequest = new AccountRequest();
      newAccountRequest.setOperation(ProvisioningPlan.AccountRequest.MODIFY);
      newAccountRequest.add(new AttributeRequest(entitlementAttributeName,Operation.Set,null));
      newAccountRequest.setNativeIdentity(accountRequest.getNativeIdentity()); 
      newAccountRequests.add(newAccountRequest);
     }
    }
if(!newAccountRequests.isEmpty()) {
  for(AccountRequest accountRequest : newAccountRequests) {
    plan.add(accountRequest);
  }
}
      </Source>
</Rule>

if setting entitlementAttribute to null will not work then you will have to get all current entitlements from the link, iterate over them and for each value create separate AttributeRequest with REMOVE operation - like that

List links = identity.getLinks();
for(Link link : links) {
if(link.getApplicationName().equals(accountRequest.getApplication()) && link.getNativeIdentity().equals(accountRequest.getNativeIdentity()) {
      newAccountRequest.add(new AttributeRequest(entitlementAttributeName,Operation.Remove,link.getAttribute(entitlementAttributeName)));
}
}

system · July 2, 2024, 10:59am

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Certification Revocation of Hybrid applications using IT Role Policies IIQ Discussion and Questions webservice-connector , identityiq , certifications	2	162	March 12, 2024
Removal of Entitlements added via API ISC Discussion and Questions apis , identity-security-cloud , entitlements	2	641	December 17, 2023
Set Entitlements to non-requestable if no longer in target application IdentityIQ (IIQ)	0	738	June 27, 2022
Severe Error when Workgroup members try to remove entitlements from Identities IIQ Discussion and Questions identityiq , entitlements	2	83	August 10, 2024
How to remove entitlements granted via request on IDN ISC Discussion and Questions identity-security-cloud , access-requests , entitlements	16	1239	March 19, 2024

Disabling serviceNow application account not removing the entitlements

Which IIQ version are you inquiring about?

Share all details related to your problem, including any error messages you may have received.

Related topics