Remove Assigned Roles from identity

autorun6464 · July 7, 2025, 7:17pm

so i need to remove all assigned roles of identity upon termination so i added this step in termination workflow to remove assigned roles but it is showing in log all roles but not actually deleting it.. i tried both remove(role) and removeAssignedRole(role) but both seems to be not working

import org.apache.log4j.Logger;
import java.util.List;


Identity identity = context.getObjectByName(Identity.class, identityName);
if (identity == null) {
    logger.error("Identity not found: " + identityName);
    return;  
}

List assignedRoles = identity.getAssignedRoles();

if (assignedRoles == null || assignedRoles.isEmpty()) {
    logger.debug("No roles assigned to identity: " + identityName);
    return; 
}

logger.debug("Total roles to be removed: " + assignedRoles.size());


for (Bundle role : assignedRoles) {
    logger.debug("Removing role: " + role.toString());
    identity.remove(role);
}


context.saveObject(identity);
context.commitTransaction();

Arun-Kumar · July 7, 2025, 7:58pm

Hi @autorun6464 ,

In your termination workflow, include the following logic in the ‘Build Plan’ step to remove the assigned roles from the user.

Identity identity = context.getObjectByName(Identity.class, identityName);
List bundles = identity.getAssignedRoles()
ProvisioningPlan plan = new ProvisioningPlan();
AccountRequest accReq = new AccountRequest();
plan.setIdentity(identity);
accReq.setApplication(ProvisioningPlan.APP_IIQ);
accReq.setOperation(AccountRequest.Operation.Modify);
for(Bundle bundle : bundles)
{
 accReq.add(new AttributeRequest("assignedRoles",ProvisioningPlan.Operation.Remove,bundle.getDsiaplayName())
}
plan.add(accReq)

autorun6464 · July 7, 2025, 9:37pm

ok updated the build provisioning plan but still roles assigned didn’t get remove.

<Step icon="Provision" name="Build Provisioning Plan" posX="332" posY="126" resultVariable="plan">
    <Script>
      <Source>

       import sailpoint.object.*;
        import sailpoint.api.*;
        
        ProvisioningPlan plan = buildProvisioningPlan(context, workflow); 
        
        Identity identity = context.getObjectByName(Identity.class, identityName);
        List bundles = identity.getAssignedRoles();
        
        if (bundles != null &amp;&amp; !bundles.isEmpty()) {
            AccountRequest accReq = new AccountRequest();
            accReq.setApplication(ProvisioningPlan.APP_IIQ);
            accReq.setOperation(AccountRequest.Operation.Modify);
            
            for (Bundle bundle : bundles) {
                accReq.add(new AttributeRequest("assignedRoles", ProvisioningPlan.Operation.Remove, bundle.getDisplayName()));
            }
            
            if (!accReq.getAttributeRequests().isEmpty()) {
                plan.add(accReq);
            }
        }
        
        return plan;

      </Source>
    </Script>

Initial Build plan step

  <Step icon="Provision" name="Build Provisioning Plan" posX="332" posY="126" resultVariable="plan">
    <Script>
      <Source>

        return buildProvisioningPlan(context, workflow); //Optiv-Rule-Library-Termination

      </Source>
    </Script>
    <Transition to="Customize Provisioning Plan"/>
  </Step

pravin_ranjan · July 7, 2025, 11:04pm

try with bundle.getName()

also please make sure you changed the identity status so it will not reassigned with refresh.

pls add some logs to see if this step is executing.

autorun6464 · July 8, 2025, 6:42pm

that too didnt worked…i can see in the logs it is getting roles name but nt actually deleting it..

2025-07-07 14:50:26,678 TRACE sailpoint.WorkflowTrace:216 - Starting step Log Assigned Roles
2025-07-07 14:50:26,710  INFO Workflow:166 - Starting role and entitlement removal for identity: LCM984
2025-07-07 14:50:26,710  INFO AIZWorkflow:166 - Removing 3 roles from identity
2025-07-07 14:50:26,710 DEBUG AIZWorkflow:166 - Removing role: Global Chase Operations Processor
2025-07-07 14:50:26,710 DEBUG Workflow:166 - Removing role: CPRR-ServiceNow_Partner
2025-07-07 14:50:26,710 DEBUG Workflow:166 - Removing role: CPRR-Nonemployee
2025-07-07 14:50:26,725  INFO Workflow:166 - Processing 1 application links

pravin_ranjan · July 8, 2025, 7:02pm

Can you try by simple rule ? also check what’s showing in provisioning transactions.

autorun6464 · July 8, 2025, 7:17pm

soo i need to make a script that deletes all roles of identity??? but isn’t it the same thing that i am doing in the workflow? … the main issue is while i am terminating identity, the roles still exist in it therefore every time the identity is refreshed it gets re assigned to its role

pravin_ranjan · July 8, 2025, 7:21pm

“identity is refreshed it gets re assigned to its role” that’s why we need to change the identity attribute so it will not match the role criteria.

In our case, we change the identity status to T so refresh will not assign the business roles again.

what’s your role match criteria ?

autorun6464 · July 8, 2025, 10:13pm

we are actually changing identity status and the roles like birthright provisioning is not actually getting re assigned .. the problem are only with the roles that are Request Based that are getting re assigned.

pravin_ranjan · July 9, 2025, 2:29am

Do you have any assignment rule configured for those roles ? if those roles are marked as requestable then it should never gets assigned. also check if you have any sticky assignment for those identity. In leaver you need handle that also.

Business Role Assignment Causing sticky attributeAssignments - IdentityIQ (IIQ) / IIQ Discussion and Questions - SailPoint Developer Community

santhirajumunganda · July 10, 2025, 10:45am

Hello @autorun6464 the assigned roles will be automatically removed upon termination. Customizations to the workflow are not required. However, if you’re using a custom termination process, you may add the necessary steps as needed—please refer to this document for guidance.
Link: Terminating Identities with Rapid Setup

For Example:
I’m terminating Betty; she has some assigned roles called BR Role 1, as shown in the image below.

Termination Submitted

Output
Check Access Request and Identity

No more assigned role for this user

I hope this information is helpful to you.
Thanks, —Raju.

autorun6464 · July 11, 2025, 8:55pm

OK i updated with this code and its working fine now. just add to add provisioner.execute(plan);… thank u guys been a great help.

Identity identity = context.getObjectByName(Identity.class, identityName);
List<Bundle> bundles = identity.getAssignedRoles();


ProvisioningPlan plan = new ProvisioningPlan();
AccountRequest accReq = new AccountRequest();
plan.setIdentity(identity);
accReq.setApplication(ProvisioningPlan.APP_IIQ);
accReq.setOperation(AccountRequest.Operation.Modify);

for(Bundle bundle : bundles) {
    String bundleName = bundle.getName();
    logger.debug("Processing role/bundle: " + bundleName);
    
    accReq.add(new AttributeRequest("assignedRoles", ProvisioningPlan.Operation.Remove, bundleName));
}

plan.add(accReq);


logger.debug("Provisioning Plan prepared: " + plan.toXml());

Provisioner provisioner = new Provisioner(context);
provisioner.execute(plan);

system · September 9, 2025, 8:56pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Deprovisioning business roles IIQ Discussion and Questions identityiq , roles	9	81	May 27, 2025
Business Role Assignment Causing sticky attributeAssignments IIQ Discussion and Questions workflows , identityiq , provisioning , roles	5	418	May 13, 2024
Remove All Roles assigned by access request when the termination event triggers ISC Discussion and Questions workflows , identity-security-cloud , provisioning	17	1554	December 30, 2023
Role Removal Issues IIQ Discussion and Questions identityiq , roles	7	68	June 7, 2025
Bussiness Role is not removed from the identity IIQ Discussion and Questions identityiq , roles	3	396	February 13, 2024

Remove Assigned Roles from identity

Related topics