Issue with Role Assignment Rule

IdentityIQ (IIQ) IIQ Discussion and Questions
,
1

Which IIQ version are you inquiring about?

8.3 p3

Share all details about your problem, including any error messages you may have received.
We have written a Role assignment Rule. However even if the user already has the Business role the role is getting provisioned again on every refresh, and we see provisioning transactions of the same. We are using the same assignment rule with all the Business roles

import sailpoint.object.Identity;
import sailpoint.object.Bundle;
import sailpoint.tools.Util;
import java.util.List;
import java.util.ArrayList;

// Initialize required variables

Bundle currentRole = context.getObjectByName(Bundle.class, roleName);
List identityDetectedRoles = identity.getDetectedRoles();
List identityAssignedRoles = identity.getAssignedRoles();

if (currentRole != null && !Util.isEmpty(identityDetectedRoles))
{
  	if(identityAssignedRoles == null || !identityAssignedRoles.contains(currentRole)) {
    // Get required roles (IT roles) for the current role (Business Role)
		List requiredRoles = currentRole.getRequirements();
	   	// Check if requiredRoles is not null and not empty
		if (!Util.isEmpty(requiredRoles)) {
			if(identityDetectedRoles.containsAll(requiredRoles)){
				return true;
			}
		}
	}
}
return false;
2

Hi @varanjo,

The included IT roles is provisioned or not? Also, can you check if the included access is being removed and again provisioned?

Thanks

3

Hi @ashutosh08 ,

User already has access to the included IT roles and the included access is not being removed. It is just getting provisioned again.

Thanks

4

Try changing this :

if (identityAssignedRoles != null && identityAssignedRoles.contains(currentRole)) {
    return false;
}
  • It explicitly checks if identityAssignedRoles contains the currentRole.
  • If identityAssignedRoles already includes currentRole, it returns false immediately, which means no further role assignment occurs for that role. So that there’s no reassignment when the role is already assigned to the identity.

The complete code would be :

import sailpoint.object.Identity;
import sailpoint.object.Bundle;
import sailpoint.tools.Util;
import java.util.List;

Bundle currentRole = context.getObjectByName(Bundle.class, roleName);
List identityDetectedRoles = identity.getDetectedRoles();
List identityAssignedRoles = identity.getAssignedRoles();

// Check if the current role exists and if detected roles are not empty
if (currentRole != null && !Util.isEmpty(identityDetectedRoles)) {
    // Check if the current role is already assigned to the identity
    if (identityAssignedRoles != null && identityAssignedRoles.contains(currentRole)) {
        // If the current role is already assigned, do not proceed with reassignment
        return false;
    }
    
    // Get required roles (IT roles) for the current role (Business Role)
    List requiredRoles = currentRole.getRequirements();
    
    // Check if requiredRoles is not null and not empty
    if (!Util.isEmpty(requiredRoles)) {
        // Only proceed if all required roles are detected for the identity
        if (identityDetectedRoles.containsAll(requiredRoles)) {
            return true; // Assign the Business Role
        }
    }
}

// Return false if no conditions met for assigning the role
return false;
5

HI @vkaushik ,

The code that I have written is correctly returning false. However, even after returning false the Business roles are getting provisioned again.

I also tried the code that you provided. It is returning false as needed. However, even after returning false the Business roles are getting provisioned again, which is visible in the Administrator console.