Which IIQ version are you inquiring about?
8.4P3
Please share any other relevant files that may be required (for example, logs).
IntegrationConfig-ProvisioningIntegrationModule.xml (1002 Bytes)
FNFManualProvisioningIntegrationExecutor.java (3.7 KB)
Share all details about your problem, including any error messages you may have received.
We have discovered an issue with IdentityIQ 8.4P3 related to revocation of Assigned Business Roles, which are composed of several IT Roles, each of which contain entitlements from a disconnected application. In my example, “Test Business Role” contains 3 IT Roles, IT_Role_1, IT_Role_2 and IT_Role_3.
IT_Role_1 contains several Active Directory entitlements, for which provisioning is supported by AD.
IT_Role_2 contains several entitlements from the “RBAC FIT6 ServiceNow” application, which is a delimited file app, provisioning is not supported. Any access request or revocation should (and generally does) generate a manual action / revocation action.
IT_Role_3 contains several entitlements from the “RBAC FIT6 Tanium” application, which is a delimited file app, provisioning is not supported. Any access request or revocation should (and generally does) generate a manual action / revocation action.
The issue is that when this business role is revoked, a single revocation manual action is generated by IdentityIQ for removal of the entitlements for both the RBAC FIT6 ServiceNow application and the RBAC FIT6 Tanium application, that manual revocation workitem is assinged to the original assigner of the role, the person who made the original access request. I’ll note that each of those applications has a distinct Revoker assigned, as well as a different owner (and all entitlements have different owners). We’ve had a case open with support and have been told this is working as designed and is expected behavior.
I’d like to fix this by implementing an IntegrationConfig and associated implementation of a AbstractIntegrationExecutor class. I’ve attached both to this case. However, I’m seeing the following behavior.
-
Access Request for a single entitlement (Add request) – The custom integration class is called and logs the access request. The method called in the class has the following signature (public ProvisioningResult provision(sailpoint.object.ProvisioningPlan plan) throws Exception). Note: the class overloads the provision method 3 times, I’ve added logging to all 3 provision methods.
-
Access Request for a single entitlement (Remove) - The custom integration class is called and logs the access request. The method called in the class has the following signature (public ProvisioningResult provision(sailpoint.object.ProvisioningPlan plan) throws Exception).
-
Certification for only the single entitlement added in step #1 Above – Class is not invoked. I’ve even added logging to both the default constructor and overloaded constructor, however nothing is logged, leading me to believe that IIQ at the core is not even attempting to call my class, however it also does not generate any revocation workitems when I have my IntegrationExecutor configured. When I remove the configuration for the IntegrationExecutor, workitems are generated.
-
Certification for the business role we discussed yesterday, the role that contains 3 IT roles, which contain disconnected entitlements from 3 different apps. – Class is not invoked. I’ve even added logging to both the default constructor and overloaded constructor, however nothing is logged, leading me to believe that IIQ at the core is not even attempting to call my class, however it also does not generate any revocation workitems when I have my IntegrationExecutor configured. When I remove the configuration for the IntegrationExecutor, workitems are generated.
This one is definitely a challenge. Has anyone successfully implemented one of these IntegrationConfig use cases for handling revocations out of a targeted certification?
