How to remove bundles from admin accounts only after disable in IIQ

Suresh08 · March 5, 2026, 5:32am

Hi Team,

How can we remove bundles which are associated with admin accounts only. Could anyone suggest.

santhirajumunganda · March 5, 2026, 9:14am

Hi @Suresh08 If you want to remove bundles that are associated only with admin accounts, there are a few approaches depending on how those bundles were assigned.

If the bundles are directly assigned to the admin identity
You can simply remove them through an Manage User Access / Remove Access. IIQ will then trigger the corresponding de-provisioning based on the role configuration.
If the bundles are assigned through a Birthright or Business Role
You will need to update the role assignment rule that grants the bundle to admin accounts. Once the condition no longer matches, IIQ will automatically remove the role during the next Identity Refresh.
If you want to remove bundles only for Admin-type accounts
A common approach is to run an Identity Refresh with role re-evaluation after modifying the role assignment rule that checks identities with admin accounts and removes the associated bundles.

Thanks,
Raju

neel193 · March 5, 2026, 9:26am

@Suresh08 Could you please share more details? In what scenarios you want to remove, via access requestion or during termination or suspension or some other case.

naveenkumar3 · March 5, 2026, 9:58am

yeah correct, Just share more details and your requirements..

sathish3004 · March 5, 2026, 10:21am

Hi @Suresh08 ,

You can remove bundles from admin accounts after disabling them by using a Lifecycle Event rule or custom workflow in SailPoint IdentityIQ.

First, identify the admin accounts (for example using an attribute like accountType = Admin). After the account is disabled, run a rule that checks the identity’s assigned bundles and removes them.

Example logic:

Detect if the account status is Disabled.
Check if the account belongs to Admin type.
Fetch assigned bundles using identity.getBundles().
Remove the required bundles using a ProvisioningPlan.

This way bundles will only be removed after the admin account is disabled

Suresh08 · March 5, 2026, 11:04am

Hi,

Want to remove bundles after the admin account is disabled. We are running a custom task, in that removing only entitlements. can we remove bundles associated with admin account only

Suresh08 · March 5, 2026, 11:49am

can anyone help me on this

neel193 · March 5, 2026, 12:19pm

Yes. There are few options:

If it is specific to any application and you are using OOTB Manage Accounts workflow, you can handle this in the application before provisioning rule. Check if plan contains disable opeartion, modify the plan to add another account request to remove assigned entitlements.
If you are disabling it using a custom code, you can add another account request to remove assigned entitlements.

You need to make sure to set the nativeIdentity of the admin account on the account requests to let IIQ know on which account you are performing these operations.

Please let us know if you need any help with modifying the plan.

santhirajumunganda · March 5, 2026, 1:13pm

You are using a task to remove entitlements. Is it possible to share it here? We may be able to add additional logic to remove roles as well.

Suresh08 · March 5, 2026, 1:56pm

This is my method

public ProvisioningPlan buildAdminAccountRoleRemoveAccessPlan(String identityName) throws GeneralException {

ProvisioningPlan plan = new ProvisioningPlan();

SailPointContext context = SailPointFactory.getCurrentContext();

try{

  Identity identity = context.getObjectByName(Identity.class, identityName);

  if(Identity != null){

    plan.setIdentity(identity);

    List bundles = identity.getBundles();

    if(bundles != null &amp;&amp; !bundles.isEmpty()) {

      for(Object obj : bundles) {
        
        Bundle bundle = (Bundle) obj;         
        
        ProvisioningPlan.AttributeRequest attrReq = new ProvisioningPlan.AttributeRequest("assignedRoles", ProvisioningPlan.Operation.Remove, bundle.getName);

        plan.add(attrReq);
      }
    }
  }
} catch (Exception e) {
  log.error("Error while removing admin bundles",e);
  throw new GeneralException(e);
}
log.trace("Exit buildAdminAccountRoleRemoveAccessPlan");
return plan;

}

am calling my method here

int days = -7;

if (config != null) {
String daysStr = Util.getString(config, “days”);
days = Util.atoi(daysStr);
}

logger.debug(“days:” + days);
try {
List userAndAccountsList = getExpiredAdminAccounts(days, true);
logger.debug("Size: " + Util.size(userAndAccountsList));
logger.debug("userAndAccountsList: " + userAndAccountsList);
for (String userAndAccount : Util.iterate(userAndAccountsList)) {
logger.debug(“userAndAccount:” + userAndAccount);
String tmpArr = Util.csvToArray(userAndAccount);
if (tmpArr.length < 2) {
logger.warn("invalid entry: " + userAndAccount);
continue;
}

String identityName = tmpArr[0];
String userDn = tmpArr[1];
Filter displayNameFilter =
    Filter.ignoreCase(Filter.and(
        Filter.eq("application.name", AD_APP_NAME),
        Filter.eq("nativeIdentity", userDn)));
String adminAccountName =
    ObjectUtil.getStringPropertyFromObject(displayNameFilter, "displayName", context,
        Link.class);
ProvisioningPlan plan = buildAdminAccountRemoveAccessPlan(identityName, userDn);
ProvisioningPlan removeAdminPlan = buildAdminAccountRoleRemoveAccessPlan(identityName);
if (plan != null &amp;&amp; removeAdminPlan != null) {
  plan.addAll(removeAdminPlan.getRequests());
}

neel193 · March 5, 2026, 2:20pm

@Suresh08 If you want to remove the roles associated with admin accounts, you need to query the IdentityEntitlement first and get the entitlements which are assigned via roles to the admin account. (Note: Roles are mapped to identity object, so you need to query entitlement first to determine the roles associated with admin accounts). Then you can remove the roles.

Suresh08 · March 5, 2026, 2:26pm

In this method(buildAdminAccountRemoveAccessPlan), removing admin entitlements. could u please give me sample code to remove bundles if it is possible.

neel193 · March 5, 2026, 3:22pm

@Suresh08 Here is a sample code to get the role associated with admin accounts:

public List getRoleAssignedEntitlements(String identityName, String nativeIdentity) {
List entList = new ArrayList();
try {
QueryOptions qo = new QueryOptions();
qo.addFilter(Filter.eq(“identity.name”, identityName));
qo.addFilter(Filter.eq(“nativeIdentity”, nativeIdentity));
qo.addFilter(Filter.eq(“grantedByRole”, true));

  Iterator listItr = context.search(IdentityEntitlement.class, qo, "attributes");
  while(listItr.hasNext()){
    Object[] dataArr = listItr.next();
    
    Attributes attr = dataArr[0];
    entList.add(attr.get("sourceAssignableRoles"));
    }

  return entList;
}
catch (Exception e) {
  log.error("Error retrieving role-assigned entitlements for " + identityName + ": " + e.getMessage());
}
return entList;

}

return getRoleAssignedEntitlements(“Mary.Johnson”, “Mary.Johnson”);

If you need to deal with entitlements, please adjust the filters accordingly.

Note: Found a fix?Help the community by marking the comment as solution. Feel free to react(,, etc.)with an emoji to show your appreciation or message me directly if your problem requires a deeper dive.

Topic		Replies	Views
Thirdparty App Entitlement Not getting remove IIQ Discussion and Questions rules , identityiq	5	74	September 20, 2025
Removing all users Roles and Entitlements IIQ Discussion and Questions workflows , rules , identityiq , lifecycle-management	10	557	February 10, 2025
Bundle remove calculation in provisioning plan IIQ Discussion and Questions identityiq , provisioning	2	93	April 13, 2025
Deprovisioning business roles IIQ Discussion and Questions identityiq , roles	9	179	May 27, 2025
What is the best way to delete permitted roles/bundle in IIQ 8.3p3? IIQ Discussion and Questions identityiq , roles	4	586	March 23, 2024

How to remove bundles from admin accounts only after disable in IIQ

Hi Team,

Related topics