IntegrationConfig to manage requests of groups

Hi All,

Im using IntegrationConfig to manage a disconnect application. I need invoke the Integration Config when a role is requested or when new account is created, so in this case I have configured IntegrationConfig to be executed when Create or Modify operations are requested. The problem here is that we need avoid executing the integationConfig when role is removed from the account.

So, my question is, Is there any way to avoid executing IntegrationConfig when the operation of Account Request is Modify and Operation of AttributeRequest is Removed?

Thanks in advance

I don’t think this is possible. When you configure an Application as a in the IntegrationConfig XML, then all provisioning will be routed to the Integration regardless of the type of operation

Can you elaborate a little on the use case here - why would you not want deprovisioning of role entitlements to go through the IntegrationConfig provisioning path?

Is your Config calling a custom java class to handle the provisioning? If so, could modify that class to block the modifications when it contains the AttributeRequest with op=remove?

1 Like

In an integrationconfig, you can use an integration rule (a.k.a. plan initializer rule) to inspect and/or modify the plan. So, you can make it strip specific requests, send them elsewhere or just make it fail (throw exception) in specific cases.

1 Like

Thanks for your quick responses

We are using IntegrationConfig because we need open a ticket in Service Now via API when account is created, or a role is added in the account.
For this case, IntegrationConfig call a rule in the PlanInitializer. In this rule we could remove specific requests, but when rule is procesed, IntegrationConfig invoke to ServiceNow API and we want to avoid invoking to ServiceNow API in the IntegrationConfig when role is removed.

Is there any way to stop this proccess without throw exception? In this case we would like implement a good practice if it is possible

In the Rule Guide on Compass (https://community.sailpoint.com/t5/Technical-White-Papers/Rules-in-IdentityIQ-7-0-7-2/ta-p/78176) it says this about the outputs:

Outputs:

Argument
Type Purpose
result sailpoint.object.ProvisioningResult Result indicating success or failure; failure halts theprovisioning action.
Any other return type (including no return value) allows provisioning processing to continue

In other words, just return a provisioning result to stop the provisioning to continue to ServiceNow.

  • Menno
1 Like

Hi @menno_pieters

We have noticed that the unique way to stop provisioning is returning FAILED status in the ProvisiningResult object. If we set COMMITED value, IntegationConfig is invoked and as consecuence ServiceNow API, and this case we dont want invoke to ServiceNow.

In our case we would like end provisioning Successfully but without invoking ServiceNow in the IntegrationConfig

Hi,

Finally we were able to dont invoke to provision method in the IntegrationConfig when role is removed.

In this case we have removed the account request from the plan and we have returned result object with status COMMITTED.