How To Get Account Link Groups Using BeanShell Script

Hello Developers,
Hope Everyone well.
I have a requirement in my local machine, how to get Account(Link) groups in the form.
Because I’m building Modify Workflow for Windows Local application connector.
For that, I need to get remove ManagedAttribute in the form dynamically.
When I choose Identity in the first option then the second option gets dynamically.
Can anyone help me with this and pls provide a snippet of code.

I’m attaching a screenshot for better clarification.

Topic on IIQ Forum Link
Any help appreciated.
Rakesh Vadnala

Hey @rakesh Thanks for posting in the developer forum.

I am asking around internally to see if anyone knows the answer to your question. Please hang tight while we look into this matter for you.

@michael.ellis thanks for your reply.

@rakesh, Have you had a chance to look at the BeanShell Developer’s Guide for IdentityIQ? There is some helpful information in that document.

Hi @rakesh, You may be able to achieve this by simply using the OOTB Access Request feature. Is there any specific reason you want to build custom form for it? Out of the Box Access Request feature will allow you to Add new access as well as revoke existing access.

Also, Have you looked at the PS offering of Group Management? Please see if you can utilize it.

Hello @nihar.dhruva,
Thanks for your reply.
In the form, I’m choosing identity as the first variable column.
In the second column, Then I want to get identity entitlements or groups which are linked with that identity from the WindowsLocal application.
I want to retrieve identity(account) groups dynamically in the form.

Can you please provide me how to achieve this with the BeanShell script?


Hi @rakesh

You could use a rule to get the list of values. For Windows Local the groups attribute on the Link holds the list of group names that the account is a member of. In this code I’ve assumed your Windows application is called “Windows Local” and that there is only one Windows account per identity. You can modify the code if there can be more than one, but you would probably want a dropdown in the form to specify the account if that is the case.

  import sailpoint.api.IdentityService;
  import sailpoint.object.Application;
  import sailpoint.object.Identity;
  import sailpoint.object.Link;
  String appName = "Windows Local";

  List groups = new ArrayList();
  Application app = context.getObjectByName(Application.class, appName);
  IdentityService identityService = new IdentityService(context);
  List windowsLinks = identityService.getLinks(identity, app);

  if (null != windowsLinks && !windowsLinks.isEmpty()) {
    Link link = windowsLinks.get(0); // Assuming only one account
    groups = link.getAttribute("groups");

  return groups;

HI @paulwheeler ,
I appreciate for your helping.
I have a doubt in the snippet of code.
So, here what is identity here.
Should i replace identity with my form Identity variable??

Hi @rakesh

The identity needs to be the identity you have selected in the first field. So you need to take the identity variable from your field and reference it in the code. Depending on how that comes back you may need to use context.getObjectByName or context.getObjectById to get the identity object from the name or id.


1 Like

Thank you so much @paulwheeler