Entitlements removal when Lifecycle State changes to inactive

SaiSumanth · April 28, 2023, 9:57am

Hi Experts,

Can anyone please help me with the before provisioning rule to remove all the entitlements of a user when his Lifecycle State changes to inactive (entitlements requested through request center, assigned through access profiles, Roles [other than birth right roles] should be revoked when a user’s lcs becomes inactive from different sources like AD, SalesForce.

ethompson · April 28, 2023, 4:08pm

The user’s roles should have criteria that included the LCS. For the BeforeProvisioning in AD you can Set the memberOf to the CN=Domain User,DC=example,CD=com to remove all other groups.

String domainUsersDN = "CN=Domain Users,CN=Users,DC=example,DC=com";
groups.add(domainUsersDN);
accountRequest.add(new AttributeRequest("memberOf", ProvisioningPlan.Operation.Set, groups));

You can also do this with the Services Standard rule (request from Expert Services) and apply this configuration to your AD source.

[
    {
        "op": "replace",
        "path": "/connectorAttributes/cloudServicesIDNSetup",
        "value": {
            "eventConfigurations": [
                {
                    "eventActions": [
                        {
                            "Action": "RemoveADEntitlements",
                            "Attribute": "memberOf",
                            "Value": "CN=Domain Users,CN=Users,DC=example,DC=com"
                        }
                    ],
                    "Identity Attribute Triggers": [
                        {
                            "Action": "cloudLifecycleState",
                            "Operation": "eq",
                            "Value": "inactive"
                        }
                    ],
                    "Operation": "Disable"
                }
            ]
        }
    }
]

This triggers this function with the above configuration.

public void removeADEntitlements(Identity identity, AccountRequest accountRequest, Object value) {
	log.debug("Enter removeADEntitlements: " + value);
	if(accountRequest == null) {
		log.error("removeADEntitlements: Invalid Arguments: accountRequest is null");
		return;
	}
	String adDomainUsers = null;
	if(value == null) {
		log.error("removeADEntitlements: Invalid Arguments: value is null");
		return;
	}
	else if(value instanceof String) {
		if(((String) value).contains("DC")) {
			adDomainUsers = (String)value;
		}
	}
	if(adDomainUsers == null) {
		log.error("removeADEntitlements: Invalid Arguments: value is not valid");
		return;
	}
	if(identity == null) {
		log.error("removeADEntitlements: Invalid Arguments: Identity is null");
		return;
	}
	List groupList = new ArrayList();
	groupList.add(adDomainUsers);
	accountRequest.add(new AttributeRequest("memberOf", ProvisioningPlan.Operation.Set, groupList));
	log.debug("Exit RemoveEntitlements");
}

SaiSumanth · May 4, 2023, 11:24am

@ethompson

Thanks for the response, can you please provide a way to achieve the removal of entitlements on salesforce application when a user’s lcs changes to inactive, thanks in advance.

MikeHamilton · May 8, 2023, 2:41pm

Hello, I am seeking the same thing for Salesforce as mentioned by Sai Sumanth Golla

Topic		Replies	Views
Active directory entitlement removal ISC Discussion and Questions identity-security-cloud , lifecycle-management	4	754	December 24, 2023
Remove AD groups ISC Discussion and Questions	3	3072	July 19, 2023
How to keep entitlements for an inactive LCS state ISC Discussion and Questions identity-security-cloud , provisioning	3	293	October 28, 2023
AD Entitlement Provisioning to Inactive Identities ISC Discussion and Questions identity-security-cloud , provisioning , access-requests , entitlements	5	777	July 21, 2023
Remove all Access when user state changes from Inactive to Terminated ISC Discussion and Questions workflows , identity-security-cloud	12	134	November 22, 2024

Entitlements removal when Lifecycle State changes to inactive

Related topics