Version 8.2
Hi,
We have a requirement to remove detected roles from SailPoint for approx.400 users. Can you please help how can i achieve this as this is on priority. Please provide the complete walkthrough of how we can achieve this in our project.
Regards
Amit
The Detected Role is as the name wrongly say " I detected that this user have the access contain in this IIQ role"
So when you request the removal of the detected role, is not going to effectively remove the access. only the “detection”.
You can achieve this with custom code, looking if the role is detected and them looking for the entitlements in it and requesting the removal of it.
OOTB theres no option from what i know.
As @ipobeidi said - problem is with entitlement - not with roles in the end - the easiest way (but you need to do role by role)
Is to use bulk revoke on entitlements to remove entitlements matching to the role. In the end it is enought if at least one entitlement won’t match with the definition of IT Role and it will not be displayed on the list of detected anymore.
Details here -
@ayadav_12
Detected roles are nothing but the IT roles. When you say that you had an requirement to remove detected roles from 400 users, do you want to remove only the detected flag or wan to remove the whole IT role along with underlying Entitlements (assumming IT roles have direct entitlements configured)?
Hi @soswain,
I need to remove the detected IT role along with the entitlements under it. Can you please help on this
Regards
Amit
Hi @ayadav_12,
Please use below sample code. You may modify it according to your need.
void deprovisionRole(SailPointContext context) throws GeneralException
{
List entList=new ArrayList();
entList.add("ABC");
entList.add("XYZ");
ProvisioningPlan plan=new ProvisioningPlan();
AccountRequest accountReq=new AccountRequest(ProvisioningPlan.AccountRequest.Operation.Modify,"App Name",null,"identityName");
List attribList=new ArrayList();
for(String entName:entList)
{
AttributeRequest attribReq=new AttributeRequest("entitlementName",ProvisioningPlan.Operation.Remove,entName);
attribList.add(attribReq);
}
accountReq.setAttributeRequests(attribList);
List acctList=new ArrayList();
acctList.add(accountReq);
plan.setAccountRequests(acctList);
Provisioner prov=new Provisioner(context);
prov.execute(plan);
Identity identity = context.getObjectByName(Identity.class, "identityName");
Map map = new HashMap();
map.put("noRoleDeprovisioning",false);
map.put("promoteAttributes",true);
// Add any other attributes of refresh task , get the names from debug page
Identitizer identitizer = new Identitizer( context, (Attributes) map );
identitizer.refresh(identity );
context.saveObject( identity );
context.commitTransaction();
}
Thanks
Thanks @ashutosh08 ,
Can we have the rule for role and it should remove entitlements falling under it as it appears to have close to 80 entitlements for one user related with the role. Please help
Hi @ayadav_12,
The roles that you want to remove are IT Role (Detected) and so ideally way will be to remove the entitlement and then refresh task will do the rest.
But for this also if the entitlement has some patterns like from same application or a fixed list then it is simply an extra step where you can iterate through identity links and remove only those which is assigned to identity.
Let me know if you need help with any specific case.
Thanks
Am I missing something? Just use the “batch requests” with something like this:
operation,roles,identityName
RemoveRole,ITRole’s actual name,id-username
this should remove the underlying entitlements as well, IF the role is not attached to a business role.
If it is attached to a business role, then the IT role will come back after next refresh.
@pasha you’re correct. But they wanted a dynamic way of removing using the existing “Role” feature.
best
@ayadav_12
You can write a rule to do so.
Filter f = Filter.collectionCondition("bundles", Filter.and(Filter.eq("name", "<Role name>")))
Iterator it = context.search(Identity.class, new QueryOptions().addFilter(f), "name");
// Get the name by iterating the above result
ProvisioningPlan plan = new ProvisioningPlan();
List accReqList = new ArrayList();
// Sample plan creation for one user.
AccountRequest accRequest = new AccountRequest();
accRequest.setApplication("IIQ");
accRequest.setNativeIdentity("<add the user name>");
accRequest.setOperation(ProvisioningPlan.AccountRequest.Operation.Create);
accRequest.add(new AttributeRequest("assignedRoles", ProvisioningPlan.Operation.Remove, "<role_name>"));
//perform this for all users
accReqList.add(accReqList);
plan.setAccountRequests(accReqList);
Provisioner prov = new Provisioner(context);
prov.execute(plan);
Note: This will work if the IT role is not tagged to any business roles; otherwise in next refresh the IT roles will be provisioned again. It wil be better untag the IT role from the business role before running the script.
easiest way would be use the batch request to remove the role and underlying entitlement .
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.