I’m having a problem in a single-value entitlement source.
When an user that already has an entitlement requests another one, it should replace the one he already has, but INow doen’t seem to understand that. It keeps on assigning the old profile to the user, even though he should only keep the new one.
I found this issue saying that we can revoke the old one when the new one is requested in a before provisioning rule, they even provided the code to do that:
AttributeRequest attrRequest= new AttributeRequest(entName,ProvisioningPlan.Operation.Remove,ent);
attrRequest.put(“assignment”, true);
accRequest.add(attrRequest);
My question is, what’s that accRequest object? Do I have an instance of that when the rule runs or do I have to create one? If so, where do I return it?
If someone has been through a similar problem and can help, I’ll be very glad.
An account request is an event or operation on an account/object like create, modify, enable, disable etc. It is denoted as accRequest in a provisioning plan.
An attribute request is an event on a particular attribute of an account. For eg, adding/removing entitlements, or any other attribute of an account.
Using Before provisioning rule, we can modify the provisioning plan and add/modify/remove account requests and attribute requests to the original plan before it is committed to the source, so that we can achieve our desired results.
If you have an Active Directory Source, you can see the provisioning plan xml in the iq service logs. You can also see it in a non xml format in the event logs in Search. An example as below:
<ProvisioningPlan nativeIdentity="XXXXXX" targetIntegration="Source Name [source]">
<AccountRequest application="Source Name [source]" nativeIdentity="XXXXXX" op="Modify" targetIntegration="Source Name [source]">
<AttributeRequest name="memberOf" op="Remove">
<ProvisioningResult status="committed"/>
<Value>
<List>
<String>ABCD</String>
<String>EFGH</String>
</List>
</Value>
</AttributeRequest>
</AccountRequest>
</ProvisioningPlan>
Feel free to check the Developer community blogs, Knowledge base and discussions. You can find a lot of examples of plan and rules in the community.
You can use a Web Services Before Operation Rule to modify the provisioning process to either change the body of the request to add only the new entitlement or to change the request to replace the the existing entitlement based on the API specifications for your application.
Check here for more information about Web Services rules:
If the user has requested the original access through a role or directly requesting the original entitlement, you will need to also remove the original access. You can do this by submitting a request to the ISC API.
See this documentation to remove the original access: