Remove Business roles from Identity cube

Hi everyone,

We recently migrated from version 8.2 to 8.4P2. As part of this upgrade, we deployed the new version on different Windows servers, which required migrating data from the legacy environment to the new one.

After go-live, we noticed that some users were re-assigned business roles that had been revoked years ago in the legacy system. This happened due to incorrect or stale data in the legacy environment. We identified the affected users and performed a cleanup using a batch request.

However, during cleanup, the batch request not only removed the incorrect business roles but also deleted the access associated with those roles. Some of this access was not originally part of the business roles—it was obtained through separate IT Roles.

Now, we’re left with users who still have the business roles but no corresponding IT roles or entitlements.

Could anyone suggest the best approach or recommended method to clean up these roles

Thanks in advance for your help!

If you want to cleanup only the roles from IIQ but not the access associated with it. You can try removing the roles using provisioner api and use the setLocalUpdate(true) in the method.

This will ensure to remove the role only from IIQ not the access associated with the role.

Hi Manish - can you share the provisioner api, or please let me know where can i find it in the Identity IQ so that i can test it in my local.

Ok - you are asking to create the script which can build the provisioning plan, some thing like below

provisioner.setLocalUpdate(true); // prevents actual provisioning to targets

/***
	 * 
	 * @param value
	 * @param appName
	 * @return
	 */
	public String removeEntFromIIQ(String samAccountName, String appName, List listOfOrphEnt) {
		logger.info("Entering method removeEntFromIIQ");
		String isSuccess = "failure";
		Identity idn = context.getObjectByName(Identity.class, samAccountName);

		try {
			ProvisioningPlan plan = new ProvisioningPlan();
			AccountRequest accRequest = new AccountRequest();

			accRequest.setApplication(appName);
			accRequest.setOperation(ProvisioningPlan.AccountRequest.Operation.Modify);
			accRequest.setNativeIdentity(samAccountName);

			if(null != listOfOrphEnt && !listOfOrphEnt.isEmpty()) {
				for(String adGroup: listOfOrphEnt) {
					accRequest.add(new ProvisioningPlan.AttributeRequest("capability", ProvisioningPlan.Operation.Remove, adGroup));
				}
			}

			plan.add(accRequest);
			plan.setIdentity(idn);

			try {
				Provisioner provisioner = new Provisioner(context);
				provisioner.setLocalUpdate(true);
				provisioner.compile(plan);
				provisioner.execute(plan);
				isSuccess= "success";
			}catch(Exception ex) {
				logger.error("Exception occurred while doing provisioning "+ ex.getMessage());
			}
		}catch(Exception exception) {
			logger.error("Exception occurred "+ exception.getMessage());
		}	
		logger.info("Exiting method removeEntFromIIQ");
		return isSuccess;
	}

Yes, I have provided a sample code where I have used provisioner API and set Local update. The above code is for entitlements. You can make the changes and do it for business roles.

Thank You, for sharing the script.

@sunilasm Did it work?

I am testing in LE, will confirm once i complete the testing

Sure, let me know. Thanks