Problem with Revoke entitlement operation in Webservice connector

Hi team ,

I am configured a webservice connector for my Target system .

and written a custom before provisioning rule to change Disable operation to Delete operation

so that If IDN doesn’t show me disabled status .

but when I am trying to create a certification campaign and revoking an entitlement.

The entitlement and AP is removed from user profile in IDN but account is still present there . When I am checking the target system the user is not present .

Now the problem coming is , when I am trying to raise request again for the same AP it is throwing error saying :

Exception while updating account.Url: Message: 404 : Not Found, HTTP Error Code: 404

NOTE : Aggregation is scheduled after every 6 hours and this is happening when I am trying within this 6 hours window.

and also I checked the sailpoint documentation , there is no operation present for “REVOKE” functionality
there are only operations present for
Delete
Disable
Enable
Lock
Unlock

Could someone please help me If I can write custom code for REVOKE so that if someone triggers the revoke event than it automatically delete the account as well .

or if there is any other way to fix it

Best Regards

@sethi_shivam Please check your remove entitlement operation, are you deleting the account there? or just removing the requested entitlement?

If you are deleting the account then it is obvious that account is getting deleted in target system but For IDN it is just a entitlement remove request and that is the reason you see the account still present and when you request any access for that account it does not find in the target.

So if I understood correctly:

  1. In the event of disable account you simply want to delete the account.
  2. When you want to remove / revoke entitlement (either it via access request or Certification) you just want to remove the entitlement from the account. (In this case you just need to make sure you configure remove entitlement operation and make sure you are calling correct API which just removes the entitlement)
  3. If in case you want account to be deleted when you request for remove entitlement then you will have to use Before Provisioning rule change the Operation to delete(after checking attribute request) like you are doing for Disable.

Regards,
Shekhar Das

HI @shekhardas1825 yes you are right but for the 2nd point … when I am revoking the entitlement , I also want to delete the account .

but now there is one more thing , I also need to check that it should not be revoked he there are still some entitlements present .

@sethi_shivam I did not get the second para of your second post.

As I mentioned in my first reply point number 3, If in case you want account to be deleted when you request for remove entitlement then you will have to use Before Provisioning rule change the Operation to delete (after checking attribute request) like you are doing for Disable.

Check Modify Operation (ProvisioningPlan.AccountRequest.Operation.Modify)
Check Attribute request (for e.g. you marked attribute “group” as entitlment in your account schema) check group is being requested for remove
Check Operation is remove(sailpoint.object.ProvisioningPlan.Operation.Remove)
if yes then change the operation to DELETE

this is my piece of code which I am using for Before provisioning rule

So I am using this as before provisioning rule and calling delete operation for disabled operation and remove operation … but for Revoke operation i didn;t find anything

There is no such operation called Revoke. Please check my second reply I have updated it.

Ok, Do you want to say you want to delete Account only if there will be no entitlement left ?

In that case you can write a method to get all his existing access keep it in a list
Get requested access to be removed and remove that from existing list.
Check if the list is empty if yes then change the operation to DELETE if no just do nothing. (all these can be done in BP rule)

Yes , I am thinking the same and I need to update the BP and really thanks for the help

Hi @sethi_shivam,

You may also want to take a look at the Entitlement Cardinality trigger in the Services Standard BeforeProvisioning Rule which can serve your use case here.

Services Standard IdentityNow BeforeProvisioning Rule - README.pdf (68.5 KB)

HI @jesvin90

thanks for the response and I am using this

condition
{
“Attribute”: “groups”,
“Value”: null,
“Operation”: “LastRemoved”
}

but I am not sure about these 2 things

  1. “Attribute”: “groups” what to write instead of groups
  2. from where I can find the value of “Attribute”: in my environment

thanks

@sethi_shivam It’s the account attribute, you just need to replace with the attribute which you marked as entitlement in your account schema.

For example if you marked role as entitlement it will look like


"Entitlement Cardinality Update Triggers":[
 {
 "Attribute":"role",
 "Operation":"LastRemoved",
 "Value": null
 }
]

For example if you marked AuthorityProfile as entitlement it will look like


"Entitlement Cardinality Update Triggers":[
 {
 "Attribute":"AuthorityProfile",
 "Operation":"LastRemoved",
 "Value": null
 }
]

@shekhardas1825

thanks for responding ,

    "cloudServicesIDNSetup": {
        "eventConfigurations": [
            {
                "eventActions": [
                    {
                        "Action": "ChangeOperation",
                        "Attribute": null,
                        "Value": "Delete"
                    }
                ],
                "Identity Attribute Triggers": [
                    {
                        "Attribute": "cloudLifecycleState",
                        "Value": "inactive",
                        "Operation": "eq"
                    }
                ],
                "Operation": "Disable",
                "Entitlement Cardinality Update Triggers": [
                    {
                        "Attribute": "role",
                        "Value": null,
                        "Operation": "LastRemoved"
                    }
                ]
            }
        ]
    }, 

I am using this condition but still when I revoked an entitlement (for eg : ABC)
and visit the user profile again , it shows me that account is still there
and under entitlements /Access profiles , it doesnt show me anything .

Now when I am requesting the same account again (for eg : ABC) , I am getting the error that user doesnt exist on target system .

basically even after removing the last entitlement , it is still showing me the link to that target system , which should not be there , and due to which I am not able to request the same entitlement or any other entitlement again because instead of creating user , it is searching and updating user

Can you check if your “services Standard IdentityNow BeforeProvisioning Rule” is attached to your source?

Try to de-attach and attach again.

Also make sure your delete Operation is configured.

To validate your configuration is working, you can search the user go to account activity and see if you see delete operation is triggered. Possibly you will see which operation is being called for the account.

HI @shekhardas1825 ,

I just saw the events and Delete operation is not getting triggered .

@shekhardas1825 All I can see that

Change Identity Lifecycle State Success
Remove Entitlement Passed
Modify Account Passed

only these tasks are getting triggered

@sethi_shivam Try below:

"cloudServicesIDNSetup": {
        "eventConfigurations": [
            {
                "eventActions": [
                    {
                        "Action": "ChangeOperation",
                        "Attribute": null,
                        "Value": "Delete"
                    }
                ],
                "Identity Attribute Triggers": [
                    {
                        "Attribute": "cloudLifecycleState",
                        "Value": "inactive",
                        "Operation": "eq"
                    }
                ],
                "Entitlement Cardinality Update Triggers": [
                    {
                        "Attribute": "role",
                        "Value": null,
                        "Operation": "LastRemoved"
                    }
                ],
				"Operation": "Disable"
            }
        ]
    }

Make sure your “services Standard IdentityNow BeforeProvisioning Rule” is attached to your source.

I just tested it , still the same issue .

Did you update the “inactive” LCS to disable the source account?

Identity Management → IdentityProfiles → Select your Identity Profile → Provisioning → Inactive

Add your source here: