remove all the roles/permissions during user access revoke
remove all the roles/permissions and disable the user during user leaver
We have implemented the below JDBC provisioning rule where it is working for case 1 remove all the roles/permissions during user access revoke and not working for case 2 where all the roles/permissions are not revoked but disable of the user is happening during user leaver.
<?xml version="1.0" encoding="UTF-8" ?>
This JDBC rule can process account creation requests, deletion requests, and modification requests that pertain to the role attribute. It logs debug messages if other account request types are submitted.
<![CDATA[
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.PreparedStatement;
import java.sql.SQLException;
import java.sql.Types;
import java.util.List;
import sailpoint.api.SailPointContext;
import sailpoint.connector.JDBCConnector;
import sailpoint.object.Application;
import sailpoint.object.ProvisioningPlan;
import sailpoint.object.ProvisioningPlan.AccountRequest;
import sailpoint.object.ProvisioningPlan.AttributeRequest;
import sailpoint.object.ProvisioningPlan.PermissionRequest;
import sailpoint.object.ProvisioningResult;
import sailpoint.object.Schema;
log.debug(“entering EBSDBJDBCProvision Rule”);
ProvisioningResult result = new ProvisioningResult();
if ( plan != null ) {
List accounts = plan.getAccountRequests();
if ( ( accounts != null ) && ( accounts.size() > 0 ) ) {
for ( AccountRequest account : accounts ) {
try {
String nativeIdentity = (String) account.getNativeIdentity();
if ( AccountRequest.Operation.Modify.equals( account.getOperation() ) ) {
// String nativeIdentity = (String) account.getNativeIdentity();
log.debug("nativeIdentity is " + nativeIdentity);
AttributeRequest attrReq = account.getAttributeRequest("PRIV");
log.debug("attrReq is " + attrReq);
if ( account != null ) {
if ( attrReq != null && ProvisioningPlan.Operation.Remove.equals(attrReq.getOperation()) ) {
List entitlemetsToBeRemoved = new ArrayList();
if (attrReq.getValue()!=null && attrReq.getValue() instanceof String) {
String attrValue = (String) attrReq.getValue();
entitlemetsToBeRemoved .add(attrValue);
} else if (attrReq.getValue()!=null && attrReq.getValue() instanceof List) {
List attrValueList = (List) attrReq.getValue();
entitlemetsToBeRemoved .addAll(attrValueList);
}
for (String attval:entitlemetsToBeRemoved){
String queryStatement = "revoke "+attval+" from "+nativeIdentity;
log.debug("queryStatement is " + queryStatement);
PreparedStatement statement = connection.prepareStatement(queryStatement);
statement.executeUpdate();
statement.close();
}
}
}
result.setStatus( ProvisioningResult.STATUS_COMMITTED );
} else if ( AccountRequest.Operation.Disable.equals( account.getOperation() ) ) {
AttributeRequest attrReq = account.getAttributeRequest("disablePriv");
log.debug("attrReq is " + attrReq);
if ( account != null && attrReq.getValue()!=null) {
List entitlemetsToBeRemoved = new ArrayList();
if (attrReq.getValue()!=null && attrReq.getValue() instanceof String) {
String attrValue = (String) attrReq.getValue();
entitlemetsToBeRemoved .add(attrValue);
} else if (attrReq.getValue()!=null && attrReq.getValue() instanceof List) {
List attrValueList = (List) attrReq.getValue();
entitlemetsToBeRemoved .addAll(attrValueList);
}
for (String attval:entitlemetsToBeRemoved){
String queryStatement = "revoke "+attval+" from "+nativeIdentity;
log.debug("queryStatement is " + queryStatement);
PreparedStatement statement = connection.prepareStatement(queryStatement);
statement.executeUpdate();
statement.close();
result.setStatus(ProvisioningResult.STATUS_COMMITTED);
}
String accountlock =" alter user " + nativeIdentity + " account lock password expire";
PreparedStatement DisableStatement = connection.prepareStatement( accountlock );
DisableStatement.executeUpdate();
DisableStatement.close();
Why is the list of entitlements you are trying to remove called “Priv” during the access revoke block and called “disablePriv” in the disable block? Are you trying to remove a different set of entitlements in the two scenarios?
I think it would help to refactor the rule a bit here since you want to perform the same action in both if cases and would improve readability.
As I have mentioned we have a requirement for below use cases:
remove all the roles/permissions during user access revoke
remove all the roles/permissions and disable the user during user leaver where user status changes from active to terminated.
We are trying to remove the same set entitlements attribute “Priv” in both cases 1 and 2.
As SailPoint IDN may not revoke and trigger same SQL statment in both cases 1 and 2 so defined a “Disable” provisioning policy for case 2 and defined the entitlement attribute as “disablePriv” in “Disable” provisioning policy for case 2 . But we are trying to remove the same set entitlements attribute “Priv” in both cases 1 and 2.
Please update the code if you think it may not work and provide your input.
As I have mentioned we have a requirement for below use cases:
remove all the roles/permissions during user access revoke
remove all the roles/permissions and disable the user during user leaver where user status changes from active to terminated.
We are trying to remove the same set entitlements attribute “Priv” in both cases 1 and 2.
As SailPoint IDN may not revoke and trigger same SQL statment in both cases 1 and 2 so defined a “Disable” provisioning policy for case 2 and defined the entitlement attribute as “disablePriv” in “Disable” provisioning policy for case 2 . But we are trying to remove the same set entitlements attribute “Priv” in both cases 1 and 2.
We have implemented the aboveJDBC provisioning rule where it is working for case 1 remove all the roles/permissions during user access revoke and not working for case 2 where all the roles/permissions are not revoked but disable of the user is happening during user leaver.
Please update the code if you think it may not work and provide your input.
I am not sure if it is a best practice to handle all your provisioning logic inside your JDBC rule as the requirements can change as you go forward. Keep the JDBC rule simple, with your basic Create/Update/Disable/Delete or any other required operation as suggested in the JDBC rule guide.
Your other requirements of setting up a leaver process and role revokes can be handled through a before provisioning rule or through workflow actions.
Hi @jesvin90 thank you for your reply and I have impleneted new below BeforeProvisioning rule for leaver use case scenario case 2 where remove all the roles/permissions and disable the user during user leaver where user status changes from active to terminated. Could you please check and provide your input on this?
I have updated the code as below and it is trying to remove only one entitlement and rest entitlements are still showing up and user is getting disabled for use case 2 during the user leaver process.
<?xml version='1.0' encoding='UTF-8'?>
This JDBC rule can process account creation requests, deletion requests, and modification requests that pertain to the role attribute. It logs debug messages if other account request types are submitted.
<![CDATA[