I have a sod policy When I refresh a user, the policy is activated and a rule runs. this rule should remove an AD group from a user.
When I validate the user in application account the group was removed but when I go to entitlements the group is there
ProvisioningPlan plan = new ProvisioningPlan();
plan.setIdentity(identity);
log.debug("CGD_Rule_SOD_Policy_EXIMBILLS_Action_By_Alerts:: Creating Account Request...");
AccountRequest accountRequest = new AccountRequest();
accountRequest.setApplication(applicationName);
accountRequest.setOperation(AccountRequest.Operation.Modify);
log.debug("CGD_Rule_SOD_Policy_EXIMBILLS_Action_By_Alerts:: Creating Attribute Request...");
AttributeRequest attrRequest = new AttributeRequest(
entitlementName,
ProvisioningPlan.Operation.Remove,
adGroupToRemove);
attrRequest.put("preferRemoveOverRetain","true");
attrRequest.put("assignment","true");
accountRequest.add(attrRequest);
plan.add(accountRequest);
log.debug("CGD_Rule_SOD_Policy_EXIMBILLS_Action_By_Alerts:: Executing Provisioning...");
log.debug("CGD_Rule_SOD_Policy_EXIMBILLS_Action_By_Alerts:: Executing PLAN..." + plan.toXml());
Provisioner provisioner = new Provisioner(context);
provisioner.execute(plan);
log.debug("CGD_Rule_SOD_Policy_EXIMBILLS_Action_By_Alerts:: Entitlement successfully removed.");
}else{
log.debug("CGD_Rule_SOD_Policy_EXIMBILLS_Action_By_Alerts:: A corresponding Entitlement was not found for the Policy.");
log.debug("CGD_Rule_SOD_Policy_EXIMBILLS_Action_By_Alerts:: Ended in failure. No Entitlement was removed.");
}
log.debug("CGD_Rule_SOD_Policy_EXIMBILLS_Action_By_Alerts:: Exit rule.");
Did you run the system tasks, aggregation task and identity refresh task prior to validation?
Try with below updated code:
ProvisioningPlan plan = new ProvisioningPlan();
plan.setIdentity(identity);
log.debug("CGD_Rule_SOD_Policy_EXIMBILLS_Action_By_Alerts:: Creating Account Request...");
AccountRequest accountRequest = new AccountRequest();
accountRequest.setApplication(applicationName);
accountRequest.setOperation(AccountRequest.Operation.Modify); // Or AccountRequest.Operation.Remove if you were removing the entire account, but Modify is correct for attributes.
log.debug("CGD_Rule_SOD_Policy_EXIMBILLS_Action_By_Alerts:: Creating Attribute Request...");
AttributeRequest attrRequest = new AttributeRequest(
entitlementName,
ProvisioningPlan.Operation.Remove,
adGroupToRemove);
attrRequest.put("preferRemoveOverRetain","true");
// REMOVE OR COMMENT OUT THIS LINE: attrRequest.put("assignment","true");
// If you want to explicitly tell SailPoint to remove the *assignment* from the Identity Cube,
// which is a more advanced scenario, you'd use a different approach or potentially:
// attrRequest.setRemovesAssignment(true); // This is a specific setter for this purpose.
accountRequest.add(attrRequest);
plan.add(accountRequest);
log.debug("CGD_Rule_SOD_Policy_EXIMBILLS_Action_By_Alerts:: Executing Provisioning...");
log.debug("CGD_Rule_SOD_Policy_EXIMBILLS_Action_By_Alerts:: Executing PLAN..." + plan.toXml());
Provisioner provisioner = new Provisioner(context);
provisioner.execute(plan);
log.debug("CGD_Rule_SOD_Policy_EXIMBILLS_Action_By_Alerts:: Entitlement successfully removed.");