Native change detection for attribute marked as entitlement

Nadim · January 30, 2024, 4:53pm

Hello,

We are trying to enable the native change detection for a web service connector with the following scenario:

In the Account schema we have an attribute called active that defines if the account is active or not. This is the attribute on which we want to do native change detection

This attribute is also the only one marked as an entitlement, because for this connector we want to be able to enable or disable the account via access request and automatic roles.

For enable account operation we have the following body

    "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
    "Operations": [
        {
            "op": "replace",
            "path": "active",
            "value": true
        }
    ]
}

For disable Account we have this operation

    "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
    "Operations": [
        {
            "op": "replace",
            "path": "active",
            "value": false
        }
    ]
}

as the account view is not updated natively from enable and disable operation in a web service connector, we created enable/disable provisioning policies to trigger the provisioning and update the account directly on those operations.

for our add entitlement operation we have this body

    "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
    "Operations": [
        {
            "op": "replace",
            "path": "active",
            "value": $plan.active$
        }
    ]
}

As the plan already contains the value true that attribute “active” should have, we don’t have any issue.

The issue we are facing is on the remove entitlement operation. as the provisioning plan will contain the operation to remove active=true we cannot use the default plan to set active as false from the plan.

the body we use is the same as disable operation:

    "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
    "Operations": [
        {
            "op": "replace",
            "path": "active",
            "value": false
        }
    ]
}

the problem here is that for IDN the operation was to remove “true” from “active” and not set “active” as “false”. the account view will say that the account doesnt have any entitlements.

On the next aggregation IDN sees that the value on active is set to “false” and it is detected as a native change detection.

Is there a way to avoid this issue and make IDN know that the operation of remove entitlement is to set the attribute active as false to update it directly in the account view?

Best regards,

bastienprulhiere · February 9, 2024, 9:03am

Hello,

We have a similar need in our context, does anyone has a solution for this ?

Regards

system · April 9, 2024, 9:03am

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Seeking approch for application account attribute change IIQ Discussion and Questions identityiq , provisioning	5	68	December 29, 2025
Role Bases Access checks and balances ISC Discussion and Questions identity-security-cloud , roles , entitlements	9	546	December 3, 2023
Native Change detection basic problem ISC Discussion and Questions aggregation , identity-security-cloud , event-triggers	2	439	February 12, 2024
Native change detection IIQ Discussion and Questions workflows , rules , identityiq , provisioning	5	572	June 24, 2024
Enhancement: Native Change Detection Product News identity-security-cloud , new-enhancement	17	2389	March 9, 2026

Native change detection for attribute marked as entitlement

Related topics