How to find a way to remove orphaned entitlements from identities that are associated with application "Active Directory"

IdentityIQ (IIQ) IIQ Discussion and Questions
1

Which IIQ version are you inquiring about?

Ans: 8.4p2

Share all details about your problem, including any error messages you may have received.

Ans: Description : AD groups were removed from AD app. and no longer show in the entitlement catalog. On Identity Profiles the AD groups are still showing. When selecting the AD group on the identity profile it says “unable to find any additional information for this account group”

IE: no one should have any entitlement from “Active Directory” application that has OU=Regularoty Security Group in the name. All of these would be orphaned.

We ran refresh identity cube task for those users with available and know options enabled.

How to find a way to remove orphaned entitlements from identities that are associated with application “Active Directory”.

2

It’s likely showing that message because there’s no managed attribute or entitlement present in the entitlement catalog. Did you have the “Promote Managed Attribute” option enabled in your Identity Refresh task?

3

Hi Sunny,

No, we have not enabled that option. Actually, clients want to delete those orphaned AD groups from users profile.

4

Check in the debug page for the identities of this type and see if any tag for AttributeAssignment is present with the orphaned entitlement name?

5

Hi Manish,

None of the orphaned entitlements showing with AttributeAssignment tag

6

can you share one of the effected Identity XML and name of the orphaned entitlement.

I have also experienced this problem in one of my project. What I did at that time was , I wrote a method to clear those orphaned entitlements from the user profile.

Share me both the data that I have requested, it will be easier for me to provide you a way to achieve this.

7

Hi Manish,

Sorry. I am not able to add/attach identity.xml

Can you send me the rule so that i can try from end and let you know.

8

Send me the file in the direct chat. There you will be able to share. I need to check the identity object then if there are some changes needed in the method, I need to do that.

9

Hi Manish,

Even I was not able to add identity.xml but i have pasted with limited data that is related to AD.

Orphaned Entitlements:

CN=ACAS_Server_Admin_Prod,OU=Regulatory Security Groups,OU=Groups,DC=TEST,DC=com
CN=AssurX Change Management Module,OU=Regulatory Security Groups,OU=Groups,DC=TEST,DC=com
CN=BSC BSCShare CIP OPS CIR RW,OU=Regulatory Security Groups,OU=Groups,DC=TEST,DC=com
CN=BSC BSCShare CIP_Software_Updates RW,OU=Regulatory Security Groups,OU=Groups,DC=TEST,DC=com
CN=BSC JRA EXC Inq Only,OU=Disabled Inactive Groups,DC=TEST,DC=com

Identity.xml:

<?xml version='1.0' encoding='UTF-8'?> 119133 119133 119133 CN=NINA - Non Represented-2,OU=Automated Groups,OU=Distributions Groups,OU=Exchange Objects,DC=TEST,DC=com CN=Apollo Business Users Exc Only,OU=Distributions Groups,OU=Exchange Objects,DC=TEST,DC=com CN=Isp Firewall Stakeholders,OU=Distributions Groups,OU=Exchange Objects,DC=TEST,DC=com CN=JPG_All,OU=Automated Groups,OU=Distributions Groups,OU=Exchange Objects,DC=TEST,DC=com CN=KeyFactor_Implementation_OfficeHours,OU=Distributions Groups,OU=Exchange Objects,DC=TEST,DC=com CN=WHFB Production,OU=BSC,OU=Security,OU=Groups,DC=TEST,DC=com CN=ACAS_Server_Admin_Prod,OU=Regulatory Security Groups,OU=Groups,DC=TEST,DC=com CN=BSC JRA EXC Inq Only,OU=Disabled Inactive Groups,DC=TEST,DC=com CN=AMP FlatFile Access RW - Non Prod,OU=BSC,OU=Security,OU=Groups,DC=TEST,DC=com CN=EWS IGAFLATFILE RW,OU=EWS,OU=File Share,OU=Groups,DC=TEST,DC=com Normal User Account CN=NINA - Non Represented-2,OU=Automated Groups,OU=Distributions Groups,OU=Exchange Objects,DC=TEST,DC=com CN=BSC JRA EXC Inq Only,OU=Disabled Inactive Groups,DC=TEST,DC=com CN=ACAS_Server_Admin_Prod,OU=Regulatory Security Groups,OU=Groups,DC=TEST,DC=com
10

Let me check. I have pinged you in chat. See if it can be pasted in the chat.

11

There also i am not able to send due to company restrictions.

12

Okay, got it. Then explain me through UI, on which pages you are seeing the orphaned entitlements.

13

If we open the identity, the Entitlements and Application Accounts tabs contains orphaned entitlements.

14

Hi Manish,

Can i get any update?

15

Hi @sivanagi_reddy

Use the method below to remove the entitlements from Entitlement page of the user. The code below only removes the entitlement from IIQ. It won’t connect to the target application.

/***
	 * 
	 * @param value
	 * @param appName
	 * @return
	 */
	public String removeEntFromIIQ(String samAccountName, String appName, List listOfOrphEnt) {
		logger.info("Entering method removeEntFromIIQ");
		String isSuccess = "failure";
		Identity idn = context.getObjectByName(Identity.class, samAccountName);

		try {
			ProvisioningPlan plan = new ProvisioningPlan();
			AccountRequest accRequest = new AccountRequest();

			accRequest.setApplication(appName);
			accRequest.setOperation(ProvisioningPlan.AccountRequest.Operation.Modify);
			accRequest.setNativeIdentity(samAccountName);

			if(null != listOfOrphEnt && !listOfOrphEnt.isEmpty()) {
				for(String adGroup: listOfOrphEnt) {
					accRequest.add(new ProvisioningPlan.AttributeRequest("capability", ProvisioningPlan.Operation.Remove, adGroup));
				}
			}

			plan.add(accRequest);
			plan.setIdentity(idn);

			try {
				Provisioner provisioner = new Provisioner(context);
				provisioner.setLocalUpdate(true);
				provisioner.compile(plan);
				provisioner.execute(plan);
				isSuccess= "success";
			}catch(Exception ex) {
				logger.error("Exception occurred while doing provisioning "+ ex.getMessage());
			}
		}catch(Exception exception) {
			logger.error("Exception occurred "+ exception.getMessage());
		}	
		logger.info("Exiting method removeEntFromIIQ");
		return isSuccess;
	}
16

This method is tested in my local env and it did remove the entitlements from the IIQ.

17

Hi Manish,

Thanks for sharing the code. Will test it.

18

@sivanagi_reddy

Did this worked to remove the orphaned entitlements from the identity.

19

Hi Manish,

I have modified the method as per my requirement and its removing the orphaned entitlements but when AD account aggregation task runs, removed orphaned entitlements added back.
We checked with AD team and they confirmed that those users still exist in the respective groups (Orphaned groups).

20

in the customization rule check the resource object and if your orphaned entitlements are showing up remove from the resource object and then return the resource object after removing the orphaned entitlements.