We have onboarded an application (Oracle IDCS) using the Web Services connector. The necessary configurations for account and entitlement aggregation are already in place and functioning as expected.
However, configuration for one use case is pending: automatic entitlement removal via the Web Services connector during access certification remediation. Specifically, when a reviewer revokes access during certification, the corresponding entitlement should be automatically removed from application
We attempted to configure a “Remove Entitlement” HTTP operation for this use case, but have not been successful so far. I would appreciate some guidance from experts in this community.
Is using "Remove Entitlement" type HTTP operation the correct solution?
If yes, in the "context URL" what value to use for {{$groupid}} ?
I have tried using below "context URL" but it doesn't work.
/admin/v1/Groups/$plan.groups$
The reason why I have used $plan.groups$ is because in account schema “groups” is attribute which holds group id
Yes, Remove Entitlement is the correct way/operation.
Do you have entitlement schema defined separately, can u check what is the attributes there for group id? If you have entitlement schema defined separately then remove the group ID attribute from account schema.
Can you cross check if the path above is correct? Also, is $usernativreID is the native identity for whom we are removing the entitlement? If yes, then have it as $plan.nativeIdentity$
To answer your question “Do you have entitlement schema defined separately, can u check what is the attributes there for group id?”
Yes, we have “group” entitlement scheme and “id” attribute is being used for group id.
I haven’t yet tested whether removing multiple entitlements from the same user works with this configuration. I’ll update this post once I’ve had a chance to verify it.