IIQ Provisioning

Jeevith18 · October 12, 2025, 2:29pm

Which IIQ version are you inquiring about?

8.4

Share all details about your problem, including any error messages you may have received.

*HI Team,

We have Salesforce application, i have a small issue with deprovisioning.
i wrote this simple rule.*
import sailpoint.api.*;
import sailpoint.object.*;
import sailpoint.tools.GeneralException;
import sailpoint.tools.Util;
import sailpoint.object.ProvisioningPlan;
import sailpoint.object.ProvisioningPlan.AccountRequest;
import sailpoint.object.ProvisioningPlan.AccountRequest.Operation;
import sailpoint.object.ProvisioningPlan.AttributeRequest;

import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;

public class MASalesforeOperationAnalyst {
public static void main(String args) throws GeneralException {
SailPointContext context = null;
ProvisioningPlan plan = new ProvisioningPlan();
String applicationName=“Salesforce Application Account”;
List permisssionSet = new ArrayList();
QueryOptions qo = new QueryOptions();
qo.addFilter(Filter.and(Filter.eq(“application.name”, applicationName), Filter.eq(“name”, “ProfileId”), Filter.eq(“value”, “xyz”)));
qo.setCloneResults(true);
List disableIdentites = new ArrayList<>();
IncrementalObjectIterator iterator = new IncrementalObjectIterator(context,IdentityEntitlement.class,qo);
IdentityEntitlement identityEntitlement = (IdentityEntitlement) iterator.next();
Identity id = identityEntitlement.getIdentity();

        String nativeId = identityEntitlement.getNativeIdentity();
        String identityName = id != null ? id.getName() : null;
        String departMentCode = (String) id.getAttribute("departmentCode");
        String callCenterCode = departMentCode.substring(departMentCode.length() - 6);

        Application app = context.getObject(Application.class,applicationName );
        IdentityService idSrv = new IdentityService(context);
        List<Link> links = idSrv.getLinks(id, app);
        if (!Util.isEmpty(links) && links.size() > 0) {
            for (Link link : links) {
                String nativeIdentity =  link.getNativeIdentity();
                if (callCenterCode != null && !callCenterCode.equalsIgnoreCase("232010") && nativeIdentity.equalsIgnoreCase(nativeId) && !link.isDisabled()) {
                    permisssionSet = link.getAttribute("PermissionSet")!=null?(List)link.getAttribute("PermissionSet"):new ArrayList();
                    permisssionSet.remove("WalkMe_End_User_Permissions");
                    plan.setIdentity(id);
                    ProvisioningPlan.AccountRequest acc = new ProvisioningPlan.AccountRequest();
                    acc.setNativeIdentity(nativeId);
                    acc.setOperation(Operation.Modify);
                    acc.setApplication(applicationName);
                    AttributeRequest attReq1 = new AttributeRequest("ProfileId", ProvisioningPlan.Operation.Remove, "xyz");
                    acc.add(attReq1);
                    if(permisssionSet !=null && permisssionSet.size()>0 ){
                        AttributeRequest attReq = new AttributeRequest("PermissionSet", ProvisioningPlan.Operation.Remove, permisssionSet);
                        attReq.put("source", "Rule");
                        acc.add(attReq);
                    }
                    plan.setSource("Rule");
                    plan.setComments("Operations analyst department transfer");
                    plan.add(acc);

                    createProvsisoningWorkflowRequest(identityName,plan);

                }
            }

        }
    }

}

private static void createProvsisoningWorkflowRequest(String identityName, ProvisioningPlan plan) {
}

}

createProvsisoningWorkflowRequest this method helps to trigger the LCM provisioning workflow
issue is with “WalkMe_End_User_Permissions” permissionset we have an IT and business role for this “(IsActive = “true”) AND ((inactive = “false”) OR (inactive = null))”
IsActive–> salesforce attribute to mark active or inactive it’s setting false after running this rule but from user only bussiness role is removing after refresh not the IT role and permissionset is still on the user record.
and if we try to remove from code itself it’s not gonna and it’s gonna filter and show as dependency.
Please help to fix this need to remove this permissionset.

naveenkumar3 · October 12, 2025, 11:38pm

Hi @Jeevith18 ,

I have gone through your code and the the issue is that you’re removing “WalkMe_End_User_Permissions” from the list but then using that modified list in the Remove operation. This won’t work as expected because you need to specifically remove that permission set, not exclude it from removal.

Remove the below line from your code, and it should fix.

permisssionSet.remove("WalkMe_End_User_Permissions");

system · December 11, 2025, 11:38pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Removing all users Roles and Entitlements IIQ Discussion and Questions workflows , rules , identityiq , lifecycle-management	10	548	February 10, 2025
Rule to fetch and deprovision roles from users IIQ Discussion and Questions rules , identityiq , roles , technical-question	10	140	August 15, 2025
ProvisioningPlan not removing capabilities IIQ Discussion and Questions identityiq , provisioning	11	146	November 22, 2025
Thirdparty App Entitlement Not getting remove IIQ Discussion and Questions rules , identityiq	5	71	September 20, 2025
Salesforce-leaver process- removal of permission set ISC Discussion and Questions identity-security-cloud , provisioning	14	273	March 1, 2025

IIQ Provisioning

Which IIQ version are you inquiring about?

Share all details about your problem, including any error messages you may have received.

Related topics