Remove privileged entitlements from the links while disabling users in IIQ

IdentityIQ (IIQ) IIQ Discussion and Questions
1

Which IIQ version are you inquiring about?

8.4 p2

Hi Team

We have a requirement to remove entitlements also from the user’s accounts during disable lifecycle.

Currently, the disabler workflow is disabling the identitycube and all the associated links with the identity. What is the best approach to remove entitlements also from the users if the entitlements are privileged?

Is there any API call like getEntitlements() to read all the entitlements of the user?

Thanks

Divya M

2

Hi @DivyaSubha

There is no direct identity.getEntitlements() API that aggregates all entitlements across applications in one call. Entitlements are account-scoped (Link level), so you must iterate through links.

3

Use IdentityEntitlement, since it represents correlated entitlements at the identity level. From there, we can filter privileged/elevated entitlements and add Remove operations to the existing Disable provisioning plan

QueryOptions qo = new QueryOptions();
qo.addFilter(Filter.eq("identity", identity));

List entList =
        context.getObjects(IdentityEntitlement.class, qo);

for (IdentityEntitlement ie : entList) {

    QueryOptions mao = new QueryOptions();
    mao.addFilter(Filter.eq("application.name", ie.getAppName()));
    mao.addFilter(Filter.eq("value", ie.getValue()));

    ManagedAttribute ma =
        context.getObject(ManagedAttribute.class, mao);

    if (ma != null && Boolean.TRUE.equals(ma.isIiqElevatedAccess())) {

        // Get existing AccountRequest created by Disable workflow
        ProvisioningPlan.AccountRequest accReq =
            plan.getAccountRequest(
                ie.getAppName(),
                ie.getNativeIdentity()
            );

        if (accReq != null) {

            ProvisioningPlan.AttributeRequest attrReq =
                new ProvisioningPlan.AttributeRequest(
                    ie.getName(),
                    ProvisioningPlan.Operation.Remove,
                    ie.getValue()
                );

            accReq.add(attrReq);
        }
    }
}
4

@DivyaSubha There is no getEntitlements api available. Right way is to get it from Identity Entitlement which stores all meta data required for entielment removal: entitlement attribute, value, application id, identity id and account native identity. You can use these attributes to create a plan to remove entitlements.

Note: Found a fix?Help the community by marking the comment as solution. Feel free to react(:heart:,:+1:, etc.)with an emoji to show your appreciation or message me directly if your problem requires a deeper dive.

5

Hi Divya,

The easiest fix would be creating a rule and referencing that rule in your workflow. The rule basically check if user has any privileged entitlement. The value return from the rule, use it in your leaver workflow, if user has any privileged entitlement transition with removal, else proceed with other workflow steps.

6

doesn’t this option work for you if you have a privileged app for privileged entitlements?

image
image201×208 4.87 KB

7

Hi @saiprashanth88 I tried to use above code. “entList” is always empty even though the user is having entitlements. Any idea?

8

@DivyaSubha Could you please share your code for review?

9

Hi @DivyaSubha could you please share your code?
Also, try adding logs and verify whether the identity is present or not.

10

Please see the code and logs in the attached image.

image
image1911×181 14.5 KB


  QueryOptions qo = new QueryOptions();
  qo.addFilter(Filter.eq("name", "A018627"));
  custLog.error("QO filter is " +qo);
  
  
  List userList = context.getObjects(Identity.class, qo);
  custLog.error("Userlist is " +userList.size());

   List entList = context.getObjects(IdentityEntitlement.class, qo);
   custLog.error("Entlist is " +entList.size());
11

image
image1816×309 34.8 KB

12

Hi @DivyaSubha ,

You have to modify the below line:

QueryOptions qo = new QueryOptions();
qo.addFilter(Filter.eq(“name”, “A018627”)); // modify this line to identity.name
custLog.error("QO filter is " +qo);


  QueryOptions qo = new QueryOptions();
  qo.addFilter(Filter.eq("identity.name", "A018627")); // to get the entitlements of 'A018627'
//qo.addFilter(Filter.eq("value", "entitlementname")); // you can add filter to get the privileged entitlements

  custLog.error("QO filter is " +qo);


Iterator iterator = context.search(IdentityEntitlement.class, qo);
13

Hi @DivyaSubha
As mentioned by Simhadri, you can modify the filter to “identity.name” as you are passing the name. Or else you can pass the identity object.

String identityName = “A018627”;
Identity identity = context.getObjectByName(Identity.class, identityName);

QueryOptions qo = new QueryOptions();
qo.addFilter(Filter.eq(“identity”,identity));
14

@DivyaSubha Try out this rule and make necessary adjustments to filters as per your requirements:

public List testIdentityEntitlement(){
QueryOptions qo = new QueryOptions();
qo.addFilter(Filter.eq(“identity.name”,“Betty.Young”));
qo.addFilter(Filter.eq(“application.name”, “PRISM”));
log.error("QO filter is " +qo);

List entList = new ArrayList();
Iterator entItr = context.search(IdentityEntitlement.class, qo, "value");
while(entItr.hasNext()){
  Object[] dataArr = entItr.next();
  entList.add(dataArr[0]);

}
return entList;
}
 return testIdentityEntitlement();