How to bulk disable roles if the application entitlement is Inactive

Which IIQ version are you inquiring about?

8.3p4*

Share all details about your problem, including any error messages you may have received.

Hi everyone,

I’m working on a requirement in SailPoint IIQ and need some assistance. In our environment, roles are generated dynamically based on the RefID under the object properties of a group in an application.

The group → object properties, also has an attribute called Status, which tells whether the group is active or inactive.

For example:

  • Application: XYZ
  • Entitlement (Group): ABC
  • RefID: 123456
  • The Role Name would be: BR_STAFF 123456

What I want to achieve is to disable the role using the RefID when the Status attribute of the group is Inactive.

Could anyone assist me in defining the rule or UI query to check the Status of the group entitlement? If the status is Inactive, I need to disable the associated role using the RefID.

Any help, sample queries, or best practices would be greatly appreciated!

Thanks in advance!

Hi @KaranGulati025 ,

This can be accomplished by filtering the group based on the status attribute. By applying this filter, you can retrieve the roleName associated with each entry. Once you have the roleName, you can use it to fetch the unique bundle object by applying the appropriate filters. After retrieving the bundle, you can disable it.

Refer the below code for reference.

String refId = "";
String roleName = "";
QueryOptions qp = new QueryOptions();
qp.addFilter(Filter.eq("status", "inactive"));
qp.setCloneResults(true);

Iterator iter = context.search(ManagedAttribute.class, qp); 
if (iter != null && iter.hasNext()) {  
    while (iter.hasNext()) {
        ManagedAttribute managedAttribute = (ManagedAttribute) iter.next();
        refId = managedAttribute.getAttribute("RefId");
        roleName = "BR_STAFF " + refId;


        Bundle bundle = context.getUniqueObject(Bundle.class, 
            Filter.and(
                Filter.eq("name", roleName), 
                Filter.eq("type", "business"), 
                Filter.eq("disabled", false)
            )
        );

        if (bundle != null) {

            bundle.setDisabled(true);
            context.saveObject(bundle);
        }
    }

    context.commitTransaction();
}
2 Likes

Hi @KaranGulati025

I have two suggestions for you:

Option 1:

Create an extended attribute called “disabled” in the ManagedAttribute.
Populate this attribute during group aggregation using a group refresh rule based on the object attribute ‘Status’ attribute.
Schedule a rule runner task to fetch the status information from ManagedAttribute and update the role accordingly.

Option 2:

Schedule a rule runner task to fetch details from the ManagedAttribute class.
Update the role based on the fetched details.
Below is a sample code snippet, just to consider an entitlement and update a role accordingly. Attached a copy of it. You can enhance as needed. Try to execute it in debug page once.
SampleRule.xml (893 Bytes)

1 Like

Hi @Arun-Kumar and @Arpitha1,

Thank you for your prompt reply.

@Arun-Kumar, for the query options you have used:

QueryOptions qp = new QueryOptions();
qp.addFilter(Filter.eq("status", "inactive"));
qp.setCloneResults(true); 

Can I also add a filter of application. I want managedAttributes(entitlements) from a particular application or add a filter to the bundle for the application to search?

@Arpitha1, thank you for providing me options. I will most likely go ahead with option 2 (using a rule via a task). Your rule works for One entitlement but I want to disable role for one particular application which has multiple entitlements attached to multiple roles.