we are building a Webservices Connector, and we need to associate a specific API call to the Delete Operation.
We want to trigger the Delete Operation when users reach a specific lifecycle state. Therefore, we try and use the Identity Profile setting, to delete accounts from specific sources:
However, when we try to Select Sources, we only see a subset of the existing ones, and the one we are looking for does not appear. Does the source need to be “enabled“ to perform deletions, in some way? I couldn’t find info in the docs (perhaps I have missed it) . I could however see THIS in the docs:
Note
The Web Services source supports the Before Provisioning rule, which enables you to delete an account using a rule. For example, you can change the provisioning plan’s account operation from disable to delete. The UI fields are the same and applicable to all the operations that you choose to configure.
For Entitlement Aggregation, you need to configure the schema manually using the SailPoint APIs. Contact SailPoint Support / Expert Services for assistance.
For the Web Services source, you can configure the native identity in the provisioning plan using a placeholder such as $plan.planNativeIdentity$.
You can utilise the rule to update the plan and delete the account.
I have read that; however, I don’t want, if I can avoid it, to use a “trick” (or a Rule at all, if it’s not necessary), to perform a “natural“ operation.
For example, in our scenario, we DO already have a Disable operation, and we need to be able to Disable OR Delete accounts, according to different conditions (lifecycle states). I could use some Rule trick, of course… but the Identity Profiles now give the possibility to actively Delete accounts, in specific lifecycle states. At the same time, the WebServices connector gives the possibility to MAP a Delete operation. One, would expect that these two elements would connect naturally and work out of the box.
Is there no other way to “push“ a Delete operation to a webservice connector, other than a Rule?
@fabio_carraro, I suspect the webservices source documentation might be a bit outdated as I’ve noticed similar inconsistencies in a few places in the past on that same documentation page. Since the Delete Accounts option under Identity Profiles is a relatively recent enhancement, I’m inclined to think the docs haven’t fully caught up yet.
Here’s what I’d suggest: try configuring your Web Services source under the lifecycle state where you want the delete operation to be triggered for downstream accounts. Then, set up a Delete Account type operation on your Web Services connector and define the corresponding API call details there. Avoid adding any Before Provisioning Rule logic for now and just keep it simple.
Give this setup a test. My hunch is that the delete trigger from the Identity Profile should correctly invoke the Delete Account operation on your Web Services source (assuming the identity has an account on that source). If that works, it should successfully send the delete API call to your target system.
thanks for the reply. If I understood your advice correctly, well, that’s what I have tried to do in the first place. I have already tried to set the Webservice Source in the appropriate lifecycle state, in the Identity Profile. The problem is exactly that: it’s not in the list. As I stated in the first message, the interface shows only a SUBSET of the existing sources, when selecting the one(s) for account deletion. That’s why I thought maybe there is some special “setting“.
Ah, got it @fabio_carraro. I now understand what you meant. The list of sources available for “Delete Accounts” in the Identity Profile only includes those where the source JSON contains “DELETE” as one of the values in the features array. This is default by design.
To fix this, I manually patched my Web Services source to include “DELETE” under the features array. You can use Update source (partial) API endpoint or use SailPoint ISC VS Code extension to update the source JSON.
Once I added "DELETE" and saved the change, the source became visible in the Delete Account configuration section of the Identity Profile.
Although SailPoint doesn’t officially recommend modifying the features array directly, this tweak resolved the issue in my case. Since the Web Services connector already supports the delete functionality with “Delete Account” HTTP Operation type (even though it hadn’t been used previously due to the lack of a trigger in ISC), I don’t expect this change to cause any problems.
You can give this a try in a sandbox environment first and see if it works for you along with the approach I mentioned in my previous comment.
