Maximum Deleted Accounts Threshold

Which IIQ version are you inquiring about?

Version 8.3

Share all details related to your problem, including any error messages you may have received.

Hi Community,

I want to know the best way to change the parameters “Maximum deleted accounts/ groups” to a percentage rather than a fixed value for an account or group aggregation tasks. From my understanding the way it works is as a fixed value. So if I were to put 10, it would be 10 accounts not 10% of accounts. What’s the best way to go about this?

Thanks in advance!

It’s totally depend on your requirement . if you think that no action is taken outside of iiq for account you can put some lower % but for group you can put some higher % may be 5%.

It’s the no. of accounts I believe. However, you can adjust the value using a custom rule if necessary. Determine the number of accounts retrieved from the system and establish a predefined threshold percentage. For instance, if there are currently 1000 accounts in the system, a rule could be set to trigger at 10%, which would be 100 accounts. If the account count increases to 1100 the next day, the rule would automatically adjust to 110 accounts, still maintaining the 10% threshold.

There is no normal way to convert this to a percentage.

The only way I can think of is to create a rule which loops over the TaskDefinitions, get the number of accounts for the ‘to be scanned’ applications and calculate the %. With this new number update the TaskDefintion.

This Rule can be scheduled to run as a (maintenance) task on a regular basis.

If you want an example, please let us know.

– Remold

Yes if you could provide an example that’d be great!

An example for the Rule:

import sailpoint.object.*;
 
int deletionPercentage = 10;
 
List taskDefs = context.getObjects(TaskDefinition.class, new QueryOptions().addFilter(Filter.eq("parent.name","Account Aggregation")));
 
for (TaskDefinition td : taskDefs) {
  String appName = td.getString("applications");
  if (!appName.contains(",")) {
    int accountCount = context.countObjects(Link.class, new QueryOptions().addFilter(Filter.eq("application.name",appName)));
    int checkDeletedThreshold = 10;      
 
    if (accountCount > 100) {
      checkDeletedThreshold = accountCount * deletionPercentage / 100;
    }
    td.setArgument("checkDeleted", "true");
    td.setArgument("checkDeletedThreshold", String.valueOf(checkDeletedThreshold));
    context.saveObject(td);  
  }
}
context.commitTransaction();

You can run this rule:

• via debug (Run Rule)
• via the Rule Runner Plugin
• via a ‘Run Rule’-task (preferred option, as this can also be scheduled).

I hope this helps,

PS Do not directly run this in a production environment.

– Remold

Thanks for the mention @Remold! Just to add to this if you run it via the Rule Runner plugin you have an additional layer of security in that you can stop an actively running rule midway using the stop button in the UI. To add log output during this run so you can see what’s going on just use the built-in log variable and you should be able to see log statements in real-time! So like this:

import sailpoint.object.*;
 
int deletionPercentage = 10;
 
List taskDefs = context.getObjects(TaskDefinition.class, new QueryOptions().addFilter(Filter.eq("parent.name","Account Aggregation")));
 
for (TaskDefinition td : taskDefs) {
  String appName = td.getString("applications");
  if (!appName.contains(",")) {
    int accountCount = context.countObjects(Link.class, new QueryOptions().addFilter(Filter.eq("application.name",appName)));
    int checkDeletedThreshold = 10;      
 
    if (accountCount > 100) {
      checkDeletedThreshold = accountCount * deletionPercentage / 100;
    }
    log.debug("Currently calculating TaskDefinition: " + td.getName());
    td.setArgument("checkDeleted", "true");
    td.setArgument("checkDeletedThreshold", String.valueOf(checkDeletedThreshold));
    context.saveObject(td);  
  }
}
context.commitTransaction();