Entitlement Removal - Web Service Connector

Identity Security Cloud (ISC) ISC Discussion and Questions
, ,
1

Hi Team,

We have onboarded an application (Oracle IDCS) using the Web Services connector. The necessary configurations for account and entitlement aggregation are already in place and functioning as expected.

However, configuration for one use case is pending: automatic entitlement removal via the Web Services connector during access certification remediation. Specifically, when a reviewer revokes access during certification, the corresponding entitlement should be automatically removed from application

We attempted to configure a “Remove Entitlement” HTTP operation for this use case, but have not been successful so far. I would appreciate some guidance from experts in this community.

API Endpoint - https://{baseURL}}/admin/v1/Groups/{{$groupid}}

Method - PATCH

Raw Body:
{
  "schemas": [
    "urn:ietf:params:scim:api:messages:2.0:PatchOp"
  ],
  "Operations": [
    {
      "op": "remove",
      "path": "members[value eq \"{{$usernativeID}}\"]"
    }
  ]
}

What I need help with ?

Is using  "Remove Entitlement" type HTTP operation the correct solution?
If yes, in the "context URL" what value to use for {{$groupid}} ?

 I have tried using below "context URL" but it doesn't work.
         /admin/v1/Groups/$plan.groups$

The reason why I have used $plan.groups$ is because in account schema “groups” is attribute which holds group id

thanks
Vijay

2

Yes, Remove Entitlement is the correct way/operation.

Do you have entitlement schema defined separately, can u check what is the attributes there for group id? If you have entitlement schema defined separately then remove the group ID attribute from account schema.

Can you cross check if the path above is correct? Also, is $usernativreID is the native identity for whom we are removing the entitlement? If yes, then have it as $plan.nativeIdentity$