Programatically Removal of Detected IT Roles for the Identity

Which IIQ version are you inquiring about?

Version 8.3

Share all details related to your problem, including any error messages you may have received.

I am working on the removals of the detected Roles for the bulk users by using SailPoint Objects via Rule, I have been tried below multiple approaches without any success, can you please someone let me know what could be the best way to removal the detected role for identity programatically?

Approch 1:

Identity identity= context.getObjectByName(Identity.class, “");
Bundle oldRole = context.getObjectByName(Bundle.class, "*”);
if(oldRole!=null && identity!=null)
{
context.startTransaction();
identity.remove(oldRole);
context.saveObject(identity);
context.commitTransaction();
context.decache(identity);
}

Approch 2:

Identity identity= context.getObjectByName(Identity.class, “**”);
Bundle oldRole = context.getObjectByName(Bundle.class, “****”);

if(oldRole!=null && identity!=null)
{
context.startTransaction();
identity.removeDetectedRole(oldRole);
context.saveObject(identity);
context.commitTransaction();
context.decache(identity);
}

Approch 3:

    try {
  ProvisioningPlan plan= new ProvisioningPlan();
  Provisioner provisioner =new Provisioner(context);
        Identity id=context.getObjectByName(Identity.class, "163334");
        identityList.add( "Identity Name : " + identityid + " Status " + id.getAttribute("status") );
    
  plan.setIdentity(id);
  provisioner.setNoLocking(true);
  provisioner.setOptimisticProvisioning(true);
  
      AccountRequest acc=new AccountRequest();
      acc.setApplication("IIQ");
     acc.setOperation(AccountRequest.Operation.Modify);
    acc.add(new AttributeRequest("assignedRoles", ProvisioningPlan.Operation.Add,"****"));
                
                         plan.add(acc);
         provisioner.execute(plan);  
  return plan.toXml();
        
         }
         catch (GeneralException e) {
        // TODO Auto-generated catch block
        e.printStackTrace();
    }
}

are these detected roles part of any business roles ? if yes you need to remove that business role and IT role get removed.
if not then you need to remove the entitlements that are part of this role. As detected role is nothing more than entitlements grouped together displayed for your visibility.

Hi Ramireddy,
It would be good to get some broader context from you - why you need to do that as it’s pretty unusual operation. To not say pointless - the reason is simple if you just remove detected roles (together with role detections - which I believe might be the reason why your code is not working) they will be detected with next identity refresh again.

So I would be more than happy to help if you can elaborate a bit more about what you are trying to achieve really.

Hi @ramireddy,

The roles (IT Roles) are detected when the users are having the corresponding entitlements. If your use case is to remove entitlement along with the detected role, you might have to create provisioning plan with role removal. This should expand and trigger the entitlement removal as well.

But if your requirement is to avoid having detected roles but you want to keep the entitlements, instead of using any rules you can enable the following option in the Role Configuration for IT Roles.

Gear Icon -> Global Settings -> Role Configuration ->  IT (Role Types) -> 
Check the option No automatic detection with profiles

image1071×549 17.1 KB

What is the real use case here, removing the IT roles as well as entitlements or just don’t show the detected roles at Identity level?
Also is this specific to some detected roles or all across your SailPoint System

Thank you for your inputs, i just want to remove the User’s entitlements along with detected IT roles.

I am assuming if we remove the entitlemnets the detected role will automatically removed.

@ramireddy
Your assumption is correct here.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.