Entitlement Setup Causing Provisioning to Fail for webservice connector

Identity Security Cloud (ISC) ISC Discussion and Questions
,
21

Hi @rg60115 ,

No problem at all! Glad I could help. For the modification, it appears you are first removing the old role and then assigning the new one. To get this, you need to write a Webservice Before operation rule in that you have to execute both API’s (DELETE/POST).

Thanks.
Rohit

1 Like
22

Hi @rg60115

Great to hear tht the issue is solved. For role modification you can achieve it by using web service before operation rules as suggested in other post. Here in this rule you will need to make use of restClient and make API call to get single user and loop over all its assignments to remove them and add the requested access. Also, if there is a generic endpoint which removes all the access from the user, then you can also use three add entitlement operations to achieve this requirement without the need of connector rules.

Having said that for role modification i guess it could be bit tricky if you are planning to assign the access via roles then you might end up with entitlement stickiness issue as below;

  1. User has role A right now.

  2. User requested to assign role B now.

  3. You remove the role A from the webservice operation rule or multiple add entitlement operations and added role B.

  4. But for ISC since the user request role B newly and already had role A, so it will interpret that user should have 2 roles right now A and B.

  5. So next aggregation or during identity refresh it will again assign the role A.

So here you will need to use access profiles as requestable object as you may not be able to use this functionality using roles as requestable object and i think can not achieve birthright access for this application. To achieve it with roles, then you will need to use the before provisioning rule where you update the provisioning plan as not sure if web service before operation rule also allows you to update the provisioning plan although it does expose this java object as request parameter.

Other option to use roles as requestable objects will be to use the workflow where you use the trigger for provisioning completed and then use the workflow to raise the request to remove the already existing role automatically. This way then you can have the add entitlement operation very neatly defined as it will only do the one action at a time either addion or removal and workflow will take care of the removal and you will also see the requests raised for the user for existing role removal with proper reason which will help you better later on :slight_smile: .

I hope this helps, in case you questions or suggestions please let us know.

Regards
Vikas.

1 Like