Share all details about your problem, including any error messages you may have received.
Hi everyone,
I’m working on a requirement in SailPoint IIQ and need some assistance. In our environment, roles are generated dynamically based on the RefID under the object properties of a group in an application.
The group → object properties, also has an attribute called Status, which tells whether the group is active or inactive.
For example:
Application: XYZ
Entitlement (Group): ABC
RefID: 123456
The Role Name would be: BR_STAFF 123456
What I want to achieve is to disable the role using the RefID when the Status attribute of the group is Inactive.
Could anyone assist me in defining the rule or UI query to check the Status of the group entitlement? If the status is Inactive, I need to disable the associated role using the RefID.
Any help, sample queries, or best practices would be greatly appreciated!
This can be accomplished by filtering the group based on the status attribute. By applying this filter, you can retrieve the roleName associated with each entry. Once you have the roleName, you can use it to fetch the unique bundle object by applying the appropriate filters. After retrieving the bundle, you can disable it.
Create an extended attribute called “disabled” in the ManagedAttribute.
Populate this attribute during group aggregation using a group refresh rule based on the object attribute ‘Status’ attribute.
Schedule a rule runner task to fetch the status information from ManagedAttribute and update the role accordingly.
Option 2:
Schedule a rule runner task to fetch details from the ManagedAttribute class.
Update the role based on the fetched details.
Below is a sample code snippet, just to consider an entitlement and update a role accordingly. Attached a copy of it. You can enhance as needed. Try to execute it in debug page once. SampleRule.xml (893 Bytes)
QueryOptions qp = new QueryOptions();
qp.addFilter(Filter.eq("status", "inactive"));
qp.setCloneResults(true);
Can I also add a filter of application. I want managedAttributes(entitlements) from a particular application or add a filter to the bundle for the application to search?
@Arpitha1, thank you for providing me options. I will most likely go ahead with option 2 (using a rule via a task). Your rule works for One entitlement but I want to disable role for one particular application which has multiple entitlements attached to multiple roles.