Please share any images or screenshots, if relevant.
[Please insert images here, otherwise delete this section]
Please share any other relevant files that may be required (for example, logs).
[Please insert files here, otherwise delete this section]
Share all details about your problem, including any error messages you may have received.
I’m using a business role with role provisioning policy to provision an account on the webservices application. While requesting the role, I capture the required details on the role provisioning policy form and upon submission, the account is provisioned successfully in the target application. But when the role is removed through manage access flow, only the role is getting removed but account remains untouched in the target system. Doesn’t the role removal trigger the deprovisioning process on the application? How to disable the account when the role is removed?
@Ravikumar_Subramanyam Role removal doesn’t disable the account. It’ll definitely add the attirbute request to remove the attribute values which are being set. But not to disable the account. You need to handle this in your before provisioning, where you can check if request is initiated via roles, having attribute change request and you can modify plan to delete/disable the account.
Note: Found a fix?Help the community by marking the comment as solution. Feel free to react(,, etc.)with an emoji to show your appreciation or message me directly if your problem requires a deeper dive.
Thanks for your response. There isn’t any entitlement in the application schema. Hence I have not configured remove entitlement operation. I have only configured disable account operation. Disable is working when I submit disable request through Manage Accounts.
My business role doesn’t have any IT Role linked to it. The core purpose of using business role approach is to enable users to request access to this application via manage user access and to collect the attributes required for application provisioning. When this business role is removed for the user, its just removing the role from IdentityIQ application and not triggering any modify operations to the application configured in role provisioning policy.
Thanks for your response. There isn’t any entitlement in the application schema. Hence I have not configured remove entitlement operation. I have only configured disable account operation. Disable is working when I submit disable request through Manage Accounts.
My business role doesn’t have any IT Role linked to it. The core purpose of using business role approach is to enable users to request access to this application via manage user access and to collect the attributes required for application provisioning. When this business role is removed for the user, its just removing the role from IdentityIQ application and not triggering any modify operations to the application configured in role provisioning policy.
Thanks for your response. There isn’t any entitlement in the application schema. Hence I have not configured remove entitlement operation. I have only configured disable account operation. Disable is working when I submit disable request through Manage Accounts.
My business role doesn’t have any IT Role linked to it. The core purpose of using business role approach is to enable users to request access to this application via manage user access and to collect the attributes required for application provisioning. When this business role is removed for the user, its just removing the role from IdentityIQ application and not triggering any modify operations to the application configured in role provisioning policy. Hence its not reaching the before provisioning rule.
You could handle your custom functionality in a before provisioning rule for your application, however will need something to trigger entering that rule. Have done this before to disable an account when there are no entitlements left on a Link.
Few options here
Use a “dummy” entitlement for that application signifying application access. Just make sure to handle removing from the plan in the before provisioning rule and re-adding in the after provisioning rule so your identity requests successfully verify
Mark an account attribute as an entitlement, however to do this option, you will need to then add these entitlements to your roles for your specific use cases
Not sure exactly what your application schema looks like, but if you let me know happy to draw up what this would look like for you
The “Dummy“ entitlement seems to be a good option. I tried creating the dummy entitlement for my application on Entitlement Catalog screen. Its created successfully.
Now I’m trying to link this entitlement to my business role. Can this entitlement be directly linked to the business role? coz I don’t see that option in the modify role UI.
So, I’m trying to create an IT Role to link the entitlement and then map IT Role with business role. But facing issue in adding the dummy entitlement to IT role. It’s not showing up. Attaching error screen below.
@Ravikumar_Subramanyam In your account schema, make sure the “Managed” property is set for your entitlement attribute. Then only it’ll start showing up in your IT Role while adding it.
