Hi,
We have a usecase that where we need to remove an AttributeAssignment from an identity using a RunRule task.We have implemented the logic, but we are facing issues to retrieving the user identity. Can anyone suggest an approach for removing attributeAssignements for specific application or for all applications.
We were able to achieve this usecase using a PreRefresh rule and it is working as expected, but we need to implement it through a RunRule.
Thanks,
Vinay
Hi @vinaygopal221 ,
Please refer the code for reference to remove the attributeAssignment for specific application.
QueryOptions qp = new QueryOptions();
qp.add(Filter.eq(links.application.name,"AD"));
qp.setCloneResults(true);
Iterator it = context.search(Identity.class,qp);
while(it.hasNext()){
Identity id = it.next();
ProvisioningPlan plan = new ProvisioningPlan();
plan.setIdentity(id);
List ents = id.getAttributeAssignments();
if(ents != null){
for (AttributeAssignment attass : ents){
if(attass.getApplicationName().equalsIgnoreCase("AD")){
AccountRequest accReq = new AccountRequest();
accReq.setApplication(attass.getApplicationName());
accReq.setNativeIdentity(attass.getNativeIdentity());
accReq.setOp(sailpoint.object.ProvisioningPlan.ObjectOperation.Modify);
AttributeRequest attReqEntAss = new AttributeRequest();
attReqEntAss.setName(attass.getName());
attReqEntAss.setValue(attass.getValue());
attReqEntAss.put("assignment", "true");
attReqEntAss.setOp(sailpoint.object.ProvisioningPlan.Operation.Remove);
accReq.add(attReqEntAss);
plan.add(accReq);
}
}
}
Provisioner provisioner =new Provisioner(context);
try {
provisioner.execute(plan);
} catch (Exception e) {
log.error("Could not provision", e);
}
}
return "success";
Thankyou @Arun-Kumar for your response.
We have executed the code mentioned above, but we facing an issue with removing the attributeAssignement group. It is currently removing the required group from the user’s application link, but our requirement is to remove only the attributeAssignements entry from the identity.xml file.
Example:
We have group named ABC group.
In user’s identity.xml file,the attributeAssignements include : ABC group, AED group.
In user’s identity cube for particular application link, the group are :ABC group, CCE group.
In this case, we need to remove only the ABC group from attributeAssignements entry in the identity.xml file, and it need to be available in the user’s identity application link.
And additionally, we need the list of identity names for which the attributeAssignements removal was performed to be display in task results.
Have you tried with a batchrequest?
Check this out Ungluing Sticky AttributeAssignments
Hi @mathieug,
Yes, we tried the batch request. When we run the Batchrequest file, it adds some entitlements as attributeAssignments. We need to remove those attributeAssignments from the identity.xml file through the Runrule task.
Hi @kalyan_dev32 ,
We were able to achieve this use case using a PreRefresh rule, and it is removing attributeAssignments. However, we need to implement it through a standalone RunRule.
I discovered that I have the same need, I’m looking into it to find a solution.
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.