How to check if user is a part of role or access profile in before provisioning rule?

Amrit1897 · February 9, 2024, 9:21am

I have requirement to check if user is a part of role or access profile. I have to use this in before provisioning rule. Basically I get request’s uid from plan and then I need to have a check that user is part of a particular role or access profile then only performance disablement operation.

yunus_merck · February 9, 2024, 3:51pm

Check this link-
Java Docs | SailPoint Developer Community
It has all the methods. The one you are looking is probably under the Identity Object

Amrit1897 · February 9, 2024, 4:15pm

This is possible only if I am using sailpoint.object.identity.
As I have uid with me and I have to first get identity object as I can’t use context object so have to use Idn RuleUtil class and it’s method idn.findIdentiesBySearchableIdentityAttribute() which return identity list and that list is of type sailpoint.rule.identity and can’t see any method to get role under this package.

iamology · February 9, 2024, 4:39pm

Have you tried plan.getIdentity()?
In Before Provisioning this will get you the identity which is being provisioned

Amrit1897 · February 9, 2024, 6:01pm

Already using, but it wil be the identity of a user but I need to do checks for the action taken by requester for an identity. So, from plan I get the requestor information and then perform checks.

iamology · February 9, 2024, 6:14pm

Food for thought:

sailpoint.rule.Identity has a getId() method that returns internal unique identifier.

You can send an API request to v3/roles/:roleID/assigned-identities to check if the above ID is present in the List returned. However, this is not available for Access Profiles, and you may create some Roles just for this purpose.

Amrit1897 · February 9, 2024, 9:59pm

You mean to say use this end point in rule? If not why I need manual action.
I want use all in before provisioning rule.
Let me rephrase my requirements.
If requester that I get from plan perform some action on account then do something.
Here I have to check if requestor is part of a role or not.
Requestor is the one who is doing enable/disable operation on an account it could be system or a person.

iamology · February 10, 2024, 10:26am

That’s right. And if you are not able to cancel the operation in BeforeProv rule for any reason, then you can add a flag as an argument to the plan that will let BeforeOperation to know that the operation should be cancelled and result set as FAILED

system · April 10, 2024, 10:26am

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to test Before Provisioning Rule in Rule Development Kit? ISC Discussion and Questions rules , identity-security-cloud	10	272	April 3, 2024
How detect in BeforeOperationRule when an Access Profile have been assigned to user ISC Discussion and Questions	2	918	July 19, 2023
Do not deprovision access when removing Role ISC Discussion and Questions rules , identity-security-cloud , roles , entitlements	2	788	July 19, 2023
Active Directory Before Provisioning Rule - No logs generated for Troubleshooting ISC Discussion and Questions	2	1319	July 19, 2023
Before Provisioning Rule Operations - How to remove plan or account request ISC Discussion and Questions rules , provisioning , entitlements	6	1620	July 21, 2023

How to check if user is a part of role or access profile in before provisioning rule?

Related Topics