Remove entitlements from identity links

autorun6464 · August 20, 2025, 7:46pm

i am trying to remove identitites that are not assigned to any roles. since we only have getAssignedRoles(); method to grab and remove entitlements from identity.

here i am using identity links .getEntitlements(); in order to grab entitlements which are not assigned to any role but the issue is how i remove the entitlement only from links because when i terminate the links whole identity links are getting deleted.. while i just want the entitlements to be removed.

String identityName = "XYZ123";
Identity identity = context.getObjectByName(Identity.class, identityName);

List linksWithEntitlementsToRemove = new ArrayList();
int entitlementCount = 0;

List accountLinks = identity.getLinks();

if (accountLinks != null) {
    for (Link accountLink : accountLinks) {
        try {
            
            List linkEntitlements = accountLink.getEntitlements(Locale.getDefault(), "");
            
            if (linkEntitlements != null && !linkEntitlements.isEmpty()) {
                entitlementCount += linkEntitlements.size();
                logger.debug("Found " + linkEntitlements.size() + " entitlements for account: " + accountLink.getNativeIdentity());
                
               
                linksWithEntitlementsToRemove.add(accountLink.getId());
                logger.debug("Added link with entitlements to removal list: " + accountLink.getApplicationName() + " - " + accountLink.getNativeIdentity());
                
                for (Entitlement entitlement : linkEntitlements) {
                    logger.debug("Entitlement: " + entitlement.getAttributeName() + "=" + entitlement.getAttributeValue());
                }
            } else {
                logger.debug("No entitlements found for account: " + accountLink.getNativeIdentity() + " - skipping deletion");
            }
            
        } catch (Exception e) {
            logger.error("Error processing account link: " + accountLink.getNativeIdentity() + ", Error: " + e.getMessage());
        }
    }
}

Terminator terminator = new Terminator(context);
int linksDeleted = 0;

for (String linkId : linksWithEntitlementsToRemove) {
    try {
        Link linkToDelete = context.getObjectById(Link.class, linkId);
        if (linkToDelete != null) {
            logger.debug("Deleting link with entitlements: " + linkToDelete.getApplicationName() + " - " + linkToDelete.getNativeIdentity());
            terminator.deleteObject(linkToDelete);
            linksDeleted++;
        }
    } catch (Exception e) {
        logger.error("Failed to delete link with ID: " + linkId + ", Error: " + e.getMessage());
    }
}


context.commitTransaction();

Arun-Kumar · August 21, 2025, 3:41am

Hi @autorun6464 ,

To remove additional entitlements (Entitlements not assigned through a business role) from an identity, you can use the following code.

Identity identity = context.getObjectByName(Identity.class, identityName);
ProvisioningPlan plan = new ProvisioningPlan();
List exceptions = identity.getExceptions();
if(exceptions != null @and exceptions.size()> 0){
for (EntitlementGroup entGroup : exceptions) {

AccountRequest acctReq = new AccountRequest(AccountRequest.Operation.Modify, entGroup.getApplicationName(), null, entGroup.getNativeIdentity());

for (String attribute :entGroup.getAttributeNames()) {

AttributeRequest attReq = new AttributeRequest(attribute, ProvisioningPlan.Operation.Remove, entGroup.getAttributes().get(attribute));           

acctReq.add(attReq);
}
  plan.add(acctReq);
}
}
Provisioner provisioner = new Provisioner(context);
provisioner.execute(plan);

autorun6464 · August 22, 2025, 1:11pm

no it says missin idenntity even thou i rechecked multiple time m passin the right identityName

   An unexpected error occurred: java.lang.Exception: sailpoint.tools.GeneralException: The application script threw an exception: sailpoint.tools.GeneralException: Missing identity BSF info: Remove-Entitlement at line: 0 column: columnNo

Arun-Kumar · August 22, 2025, 1:36pm

Hi @autorun6464 ,

Add below line of code and check

plan.setIdentity(identity);

Updated code

Identity identity = context.getObjectByName(Identity.class, identityName);
ProvisioningPlan plan = new ProvisioningPlan();
List exceptions = identity.getExceptions();
if(exceptions != null @and exceptions.size()> 0){
for (EntitlementGroup entGroup : exceptions) {

AccountRequest acctReq = new AccountRequest(AccountRequest.Operation.Modify, entGroup.getApplicationName(), null, entGroup.getNativeIdentity());

for (String attribute :entGroup.getAttributeNames()) {

AttributeRequest attReq = new AttributeRequest(attribute, ProvisioningPlan.Operation.Remove, entGroup.getAttributes().get(attribute));           

acctReq.add(attReq);
}
  plan.add(acctReq);
}
}
plan.setIdentity(identity);
Provisioner provisioner = new Provisioner(context);
provisioner.execute(plan);

autorun6464 · August 22, 2025, 5:57pm

it did get executed but entitlements are still there . it didnt get removed

logs

2025-08-22 14:35:18,810 DEBUG Logger:166 - ENTRY : Inside Disable Identity Step for:
2025-08-22 14:35:18,812 DEBUG Logger:166 - Entitlements found of identityt

autorun6464 · August 22, 2025, 7:29pm

i am actually only seeing entitlements in logs with identity links entitlements but getting null with identity Exception.

is there a way to remove links entitlement? becaused all i can find is i can delete links but i want to remove entitlement from links .

Identity identity = context.getObjectByName(Identity.class, identityName);

List accountLinks = identity.getLinks();

if (accountLinks != null) {
    for (Link accountLink : accountLinks) {
      
            
            List linkEntitlements = accountLink.getEntitlements(Locale.getDefault(), "");
            
                logger.debug("link entitlements found  " + linkEntitlements );
            }


ProvisioningPlan plan = new ProvisioningPlan();


List exceptions = identity.getExceptions();
logger.debug(" Exception Entitlements found " + exceptions);

logs:

2025-08-22 15:12:03,379 DEBUG LoggerRules:166 - ENTRY : Inside Disable Identity Step for:

2025-08-22 15:12:03,410 DEBUG LoggerRules:166 - link entitlements found [sailpoint.object.Entitlement@88617bd8]
2025-08-22 15:12:03,419 DEBUG LoggerRules:166 - link entitlements found [sailpoint.object.Entitlement@e53bc963]

2025-08-22 15:12:03,422 DEBUG LoggerRules:166 - Exception Entitlements found

vinnysail · August 24, 2025, 11:57am

Hi @autorun6464

Looks like these are sticky entitlements.

Please follow the steps mentioned in this article - https://developer.sailpoint.com/discuss/t/resolving-sticky-entitlements-common-causes-and-solutions/96383

system · October 23, 2025, 11:58am

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Cleanup disconnected entitlements from the account IIQ Discussion and Questions identityiq , provisioning , entitlements	11	2097	January 27, 2024
Removing all users Roles and Entitlements IIQ Discussion and Questions workflows , rules , identityiq , lifecycle-management	10	457	February 10, 2025
Remove entitlement IIQ Discussion and Questions identityiq , provisioning , entitlements	4	126	June 23, 2025
How to Remove Entitlements in Beanshell IIQ Discussion and Questions workflows , rules , identityiq	2	114	July 1, 2025
How to remove entitlements granted via request on IDN ISC Discussion and Questions identity-security-cloud , access-requests , entitlements	16	1653	March 19, 2024

Remove entitlements from identity links

Related topics