Question on LCM Provisioning/Leaver Workflow

RSanders · November 16, 2023, 9:02pm

Which IIQ version are you inquiring about?

Version 8.3

Share all details related to your problem, including any error messages you may have received.

Afternoon!

I’ve been noticing that during the leaver workflow, there’s an entitlement that I would like to exclude from LCM Provisioning when it’s going through and removing all of the users roles/entitlements/etc. I’ll try to summarize the steps:
Let’s take a terminated user who has a RACF account. There is a before provisioning rule that sets their default RACF group to a specific group - we made this change for audit reasons, and the rule works just fine. The problem comes when LCM Provisioning builds the identity request - in the request, there’s a section where a remove operation tries to remove this default group. If you’re familiar with RACF, you can’t remove a default group - you can only change it to something else.
What I would like to do is somehow either exclude this particular group altogether so that when the identity request is created, it’s not included. I’m fresh out of the SailPoint IIQ Advanced Provisioning and Workflow course, but I never thought to ask them about this, and there wasn’t anything (that I can see or remember) that would cover this topic.
Does anyone have any ideas or thoughts on how I could accomplish this?

sunnyajmera · November 16, 2023, 10:37pm

You can achieve this either in the before provisioning rule or within one of the workflow steps. Identify the scenario in which you want to exclude this group from the provisioning plan or account request, and then remove the attribute request. Sample code for reference can be found either here or on Compass.

Jarin_James · November 17, 2023, 5:21am

Hi @RSanders,

As @sunnyajmera mentioned, add an additional step in the workflow. You can have a Custom object which can hold list of entitlements to be removed. This way it can be more dynamic and can add more entitlements to this custom object. And in the additional step you can remove the entitilements

vedant2715 · November 17, 2023, 6:45am

@RSanders - There are two aspects of this :

If you only want to stop during leaver - then customize your leaver workflow and remove the entitlement from leaver plan.
If you want to stop during any Deprovisioning event, then create a before prov rule.

system · January 16, 2024, 6:46am

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Provisioning AD entitlement on orphaned account IIQ Discussion and Questions workflows , aggregation , identityiq , provisioning , access-requests , entitlements	6	164	March 4, 2024
Before Provisioning Rule Operations - How to remove plan or account request ISC Discussion and Questions rules , provisioning , entitlements	6	1613	July 21, 2023
Remove requested entitlements on termination ISC Discussion and Questions identity-security-cloud	10	879	November 25, 2023
Getting Errors in the entitlement tab When users access was removed from Active directory IIQ Discussion and Questions identityiq	4	547	October 15, 2023
Termination workflow to add a condition where we can check entitlement name and skip from revoking ISC Discussion and Questions workflows , identity-security-cloud , entitlements	3	157	March 13, 2024

Question on LCM Provisioning/Leaver Workflow

Which IIQ version are you inquiring about?

Share all details related to your problem, including any error messages you may have received.

Related Topics