Provisioning Policy Role to add a AD group and remove another

IdentityIQ (IIQ) IIQ Discussion and Questions
, ,
1

Which IIQ version are you inquiring about?

8.2

Hello everybody,

In my Sailpoint I have an IT Role that have a Provisioning Policy
That Provisioning Policy have a form with field memberOf and the value of this field is a rule
The rule that will validate who the user is and based on their department, it returns a Dn from an AD group and assigned this group to the user.
The issue is that the user for some reason may already have one group of this kind.
I modified the rule to validate and remove the group if there is one.

My issue is that if I run the rule it works. there is it return the correct DN and removes if there is anything to remove
If the rule runs automatically (For example if use chanmge department) it goes to a loop

Thanks everyone

  public String add (Identity identity) { 

............................................

            return groupDN;                                            
        
    }



  
    public void remove (Identity identity, String groupDN) {
      

.....................................

//DLP = Group to remove

           
            ProvisioningPlan plan =new ProvisioningPlan();
            plan.setIdentity(identity);                    
            plan.setTargetIntegration(app);
            
            AccountRequest acctReq =new AccountRequest();
            acctReq.setNativeIdentity(nativeId);
            acctReq.setApplication(app);                    
            acctReq.setOperation(AccountRequest.Operation.Modify);                    
            acctReq.add(new AttributeRequest("memberOf",ProvisioningPlan.Operation.Remove,DLP));                    
            
            plan.add(acctReq);     
        
        
            
            try{

                Provisioner provisioner = new Provisioner(context);
   
                provisioner.compile(plan);     
       
                provisioner.execute();
            

            } catch (Exception e) {
                System.out.println(e.getMessage());
                log.debug(e.getMessage());
                log.debug("Erro remove");
            }
           
            

         
    }


  
      	String valor_add = add(identity);
      
  
        remove(identity, valor_add);
      
      
         
    log.debug("valor_add " + valor_add);

  
 return valor_add;
2

Hi Ricardo,

Do you have two different IT roles with different set of AD groups? If yes, you can put a check if IT role is already assigned to a user. Or even in case of AD groups you can check if its already provisioned on user’s AD account and then take further action.

Thanks,
Pallavi

3

Hello
I have only one IT role that will return an AD group

 if(roleDepartment.equals("XYZ")) {
  groupDN = "CN= XYZ" + domain;
return groupDN ; 
}

 if(roleDepartment.equals("yyy")) {
  groupDN = "CN= yyy" + domain;
return groupDN ; 
}

This is triggered when a user change the roleDepartment .

But if the user have already one I want to remove because the user cant have more than 1 group of this kind

4

In my opinion, in that case ideally we have should have one to one mapping in IT role.

Thanks,
Pallavi

5

Hey
Can you explain better ?
Thanks

6

Hi Ricardo,

For example, IT Role 1 → with entitlement - groupDN = “CN= XYZ” + domain;
IT Role 2 → with entitlement - groupDN = “CN= yyy” + domain;

So if the user does not meet certain criteria condition then you can write a logic to remove associated IT role. You can try out this approach if it works for you.

Thanks,
Pallavi

7

Hi
Thats not a an option because the I have a lot of the departments .

8

Hej Ricardo,

I would do it like this, that in the provisioning form, you calculate the correct group in which the user has to be assigned to.

In a BeforeProvisiong Rule, then you could check if the provisioning plan contains the add operation of a department group and modify the plan by adding attribute requests with the remove operation, if the user has these roles. I guess it would be more efficient if you actually use an AfterProvisioning rule, where you additionally check if the operation to add a department group, was committed or filtered, and only in case it was commited, you would change the plan, by adding the groups to be removed.

Br,
Renad

9

In My before provisioning I have the plan with somehing like

<ProvisioningPlan nativeIdentity="XYZ" targetIntegration="AD" >
  <AccountRequest application="AD" nativeIdentity="CN=XYZ,OU=XXX op="Modify">
    <AttributeRequest name="memberOf" op="Add">
      <Value>
        <List>
          <String>CN=XXX</String>
   
        </List>
      </Value>
    </AttributeRequest>

I tried to add what I want to remove but its not working


AccountRequest accReq = plan.getAccountRequest(appName, null, nativeId);
accReq.setApplication(app);                    
accReq.setOperation(AccountRequest.Operation.Modify);                    
accReq.add(new AttributeRequest("memberOf",ProvisioningPlan.Operation.Remove,"XYZ"));                    

plan.add(accReq);
10

Hej @RIsidoro,

can you maybe add some logs and provide the result here. It would make sense to check at the plan before and after your modification.

Thanks,
Renad

11

Hello all thank you for your help
Following the @rquku advice in before provisioning rule I Check the plan and add


accountRequest.add(new AttributeRequest("memberOf",ProvisioningPlan.Operation.Remove,DLP));

And it works