Version 8.3
By mistake I run the aggregation task for a application and due to this it create bulk of entitlement for that application. I want to remove all entitlement from that application. Is there any way to remove the entitlement associated with that applications?
Hi @amanKsingh,
Write a rule that would filter out the entitlements using query options. To delete an object, use the Terminator class within which use deleteObject() method.
Utilize the run rule task or run the rule from the debug page.
Please mark this as the solution if this resolves your query.
Best,
Sreeram
You can do this in multiple ways
If this is one time process then i would say check option 1 and 2 .
Hi @amanKsingh,
If you have separate group schema. Write Below
return null;
In customization rule and Run Group Aggregation with “Detect Deleted Groups”
sample code to delete entitlements from specific application
import sailpoint.object.QueryOptions;
import sailpoint.object.Filter;
import sailpoint.object.ManagedAttribute;
import sailpoint.api.Terminator;
QueryOptions queryOptions = new QueryOptions();
queryOptions.addFilter(Filter.eq("application.name","name of the application"));
Terminator terminator = new Terminator(context);
Iterator itr = context.search(ManagedAttribute.class ,queryOptions, "id");
while(itr.hasNext()){
String maId = itr.next()[0];
ManagedAttribute managedAttribute = context.getObjectById(ManagedAttribute.class,maId);
terminator.deleteObject(managedAttribute);
}
Would it be possible to get this rule to trigger the edit entitlement workflow? As an example to delete all entitlements for ‘Active Directory Test’ and then have it actually delete the groups in AD, not just delete the managed attribute from entitlement catalogue?
Yes that is possible . but i would say to be very careful with this . better implement this only if this is really and really required .
“Entitlement update” is the name of workflow which can be used .
here’s the sample code which deletes entitlements from catalog and from the target system. be careful this actually deletes the object from the target system and then you want be able recover it so use at your wisdom.
import sailpoint.api.Provisioner;
import sailpoint.object.ProvisioningPlan;
import sailpoint.object.ProvisioningPlan.AbstractRequest;
import sailpoint.object.ProvisioningPlan.AccountRequest;
import sailpoint.object.ProvisioningPlan.AttributeRequest;
import sailpoint.object.ProvisioningPlan.ObjectOperation;
import sailpoint.object.ProvisioningPlan.ObjectRequest;
import sailpoint.object.ProvisioningPlan.Operation;
import sailpoint.object.QueryOptions;
import sailpoint.object.Filter;
import sailpoint.object.ManagedAttribute;
import sailpoint.api.Terminator;
QueryOptions queryOptions = new QueryOptions();
queryOptions.addFilter(Filter.eq("application.name","name of the application"));
Terminator terminator = new Terminator(context);
Iterator itr = context.search(ManagedAttribute.class ,queryOptions, "id");
while(itr.hasNext()){
String maId = itr.next()[0];
ManagedAttribute managedAttribute = context.getObjectById(ManagedAttribute.class,maId);
ProvisioningPlan plan = new ProvisioningPlan();
ObjectRequest req = new ObjectRequest();
req.setType(managedAttribute.getType());
req.setApplication(managedAttribute.getApplication().getName());
req.setNativeIdentity(managedAttribute.getValue());
req.setOp(ObjectOperation.Delete);
plan.add(req);
Provisioner provisioner = new Provisioner(context);
provisioner.execute(plan);
terminator.deleteObject(managedAttribute);
}
Hi Hemant, this is really helpful thank you for shareing. Our plan to use with caution, we will setup a dedicated AD application definition looking only at an OU in our domain which is named along the lines of ‘Read to be deleted’. We plan to use a scheduled rule runner task to delete objects in that OU periodically.
I gave the above code a test. It works but only seems to delete one object each time it runs and gives the below error:
An unexpected error occurred: java.lang.Exception: sailpoint.tools.GeneralException: The application script threw an exception: org.hibernate.LazyInitializationException: failed to lazily initialize a collection, could not initialize proxy - no Session BSF info: Delete Entitlement at line: 0 column: columnNo
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.
