I am configured a webservice connector for my Target system .
and written a custom before provisioning rule to change Disable operation to Delete operation
so that If IDN doesn’t show me disabled status .
but when I am trying to create a certification campaign and revoking an entitlement.
The entitlement and AP is removed from user profile in IDN but account is still present there . When I am checking the target system the user is not present .
Now the problem coming is , when I am trying to raise request again for the same AP it is throwing error saying :
Exception while updating account.Url: Message: 404 : Not Found, HTTP Error Code: 404
NOTE : Aggregation is scheduled after every 6 hours and this is happening when I am trying within this 6 hours window.
and also I checked the sailpoint documentation , there is no operation present for “REVOKE” functionality
there are only operations present for Delete Disable Enable Lock Unlock
Could someone please help me If I can write custom code for REVOKE so that if someone triggers the revoke event than it automatically delete the account as well .
@sethi_shivam Please check your remove entitlement operation, are you deleting the account there? or just removing the requested entitlement?
If you are deleting the account then it is obvious that account is getting deleted in target system but For IDN it is just a entitlement remove request and that is the reason you see the account still present and when you request any access for that account it does not find in the target.
So if I understood correctly:
In the event of disable account you simply want to delete the account.
When you want to remove / revoke entitlement (either it via access request or Certification) you just want to remove the entitlement from the account. (In this case you just need to make sure you configure remove entitlement operation and make sure you are calling correct API which just removes the entitlement)
If in case you want account to be deleted when you request for remove entitlement then you will have to use Before Provisioning rule change the Operation to delete(after checking attribute request) like you are doing for Disable.
@sethi_shivam I did not get the second para of your second post.
As I mentioned in my first reply point number 3, If in case you want account to be deleted when you request for remove entitlement then you will have to use Before Provisioning rule change the Operation to delete (after checking attribute request) like you are doing for Disable.
Check Modify Operation (ProvisioningPlan.AccountRequest.Operation.Modify)
Check Attribute request (for e.g. you marked attribute “group” as entitlment in your account schema) check group is being requested for remove
Check Operation is remove(sailpoint.object.ProvisioningPlan.Operation.Remove)
if yes then change the operation to DELETE
So I am using this as before provisioning rule and calling delete operation for disabled operation and remove operation … but for Revoke operation i didn;t find anything
Ok, Do you want to say you want to delete Account only if there will be no entitlement left ?
In that case you can write a method to get all his existing access keep it in a list
Get requested access to be removed and remove that from existing list.
Check if the list is empty if yes then change the operation to DELETE if no just do nothing. (all these can be done in BP rule)
You may also want to take a look at the Entitlement Cardinality trigger in the Services Standard BeforeProvisioning Rule which can serve your use case here.
I am using this condition but still when I revoked an entitlement (for eg : ABC)
and visit the user profile again , it shows me that account is still there
and under entitlements /Access profiles , it doesnt show me anything .
Now when I am requesting the same account again (for eg : ABC) , I am getting the error that user doesnt exist on target system .
basically even after removing the last entitlement , it is still showing me the link to that target system , which should not be there , and due to which I am not able to request the same entitlement or any other entitlement again because instead of creating user , it is searching and updating user
Can you check if your “services Standard IdentityNow BeforeProvisioning Rule” is attached to your source?
Try to de-attach and attach again.
Also make sure your delete Operation is configured.
To validate your configuration is working, you can search the user go to account activity and see if you see delete operation is triggered. Possibly you will see which operation is being called for the account.