Removal of identity Roles via SNOW

IdentityIQ (IIQ) IIQ Discussion and Questions
, ,
1

Which IIQ version are you inquiring about?

8.4

Please share any other relevant files that may be required (for example, logs).

{
  "schemas": [
    "urn:ietf:params:scim:schemas:sailpoint:1.0:LaunchedWorkflow",
    "urn:ietf:params:scim:schemas:sailpoint:1.0:TaskResult"
  ],
  "urn:ietf:params:scim:schemas:sailpoint:1.0:LaunchedWorkflow": {
    "workflowName": "LCM Provisioning",
    "input": [
      {
        "key": "plan",
        "value": "<ProvisioningPlan nativeIdentity="101018"><AccountRequest application="IIQ" op="Modify">    <entry key="startDate">            1734566400000    <entry key="endDate">    1735171200000          <AttributeRequest name="assignedRoles" op="Add" value="BR_GAG_GROUP_IT_ServiceManagement">    <entry key="addDate">            1734566400000    <entry key="removeDate">    1735171200000<entry key="source" value="LCM"/>                                 > ",
        "type": "application/xml"
      },
      {
        "key": "targetName",
        "value": "101018"
      },
      {
        "key": "targetClass",
        "value": "Identity"
      },
      {
        "key": "identityName",
        "value": "101018"
      },
      {
        "key": "launcher",
        "value": ""
      },
      {
        "key": "flow",
        "value": "AccessRequest"
      },
      {
        "key": "cuSNOWticketID",
        "value": "RITM0000000"
      }
    ]
  }
}

Hey everyone!

Is there a SailPoint API that allows removing a Role from an Identity?
I found the API for adding roles, but I couldn’t find one for removal.
Does anyone have a link or example of the correct API call?

(I need to remove some roles from identities via ServiceNow.)

I do have a working example of a request from ServiceNow to SailPoint that adds roles,
but I couldn’t find any documentation on role removal.

Has anyone an removal example?

1 Like
2

I think there is any SCIM API to call IIQ workflow, you can probably leverage that for this use case.

3

Hi @abartkowski actually the same call is supposed to work with one modification only:
change the (op=“Add”) to be (op=“Remove”)

However I’m not sure if that will really revoke the actual access “Entitlements” or just the assignments only (I will validate that for you in my Env once I got some time), also you need to make sure that the Roles will not be assigned again through another way of automation like RBAC, ABAC, etc…

Have a nice one!

4

That is that issue, I have tried same request with Modify on Plan and on Attribute Remove and it does not work…

5

I have solved it by removing other attributes included in the request

below request is working fine:

{
  "schemas": [
    "urn:ietf:params:scim:schemas:sailpoint:1.0:LaunchedWorkflow",
    "urn:ietf:params:scim:schemas:sailpoint:1.0:TaskResult"
  ],
  "urn:ietf:params:scim:schemas:sailpoint:1.0:LaunchedWorkflow": {
    "workflowName": "LCM Provisioning",
    "input": [
      {
        "key": "plan",
        "value": "<ProvisioningPlan nativeIdentity="101018">
<AccountRequest application="IIQ" op="Modify"> 
<AttributeRequest name="assignedRoles" op="Remove" value="BR_GAG_GROUP_IT_ServiceManagement">  
<entry key="source" value="LCM"/>                                 > ",
        "type": "application/xml"
      },
      {
        "key": "targetName",
        "value": "101018"
      },
      {
        "key": "targetClass",
        "value": "Identity"
      },
      {
        "key": "identityName",
        "value": "101018"
      },
      {
        "key": "launcher",
        "value": ""
      },
      {
        "key": "flow",
        "value": "AccessRequest"
      },
      {
        "key": "cuSNOWticketID",
        "value": "RITM0019008"
      }
    ]
  }
}
2 Likes
6

Glad that you solved it @abartkowski this is awesome and thanks for sharing the final payload for the request!