Removing account request with beforeProvisioningRule

fatimahm · June 30, 2025, 10:45am

Hello,

I would like to know if we can restrict provisioning on a direct source as follows:

Provision specific groups to all profiles.
Create and sync attributes only for a specific identity profile.

I started to test the following beforeProvisioningRule to remove the request if the identityAttribute doesn’t equal “ResGroup”. However, this doesn’t work.

import sailpoint.object.*;
import sailpoint.object.ProvisioningPlan.AccountRequest;
import sailpoint.object.ProvisioningPlan.AccountRequest.Operation;
import sailpoint.object.ProvisioningPlan.AttributeRequest;
import sailpoint.object.ProvisioningPlan;
import sailpoint.object.ProvisioningPlan.Operation;

    List accountRequests = plan.getAccountRequests();
    if (accountRequests.isEmpty() ){
        throw new Exception("Account Request empty");
    }
 
    Identity identity = plan.getIdentity();
    String identityAttribute= identity.getAttribute("identityAttribute");
    String TYPE_USER = "ResGroup";

    if (accountRequests != null) {
        if (!identityAttribute.equals(TYPE_USER)){
            for (AccountRequest accountRequest : accountRequests) {
                accountRequest.remove(new AttributeRequest());
            }
        } 
    }

Any mistake i nthe rule ? Can this be achieved with a rule?

Any help would be greatly appreciated.

Thanks

uditsahntl01 · June 30, 2025, 11:24am

fatima hmaidouch:

Hello,

I would like to know if we can restrict provisioning on a direct source as follows:

Provision specific groups to all profiles.

Create and sync attributes only for a specific identity profile.

I started to test the following beforeProvisioningRule to remove the request if the identityAttribute doesn’t equal “ResGroup”. However, this doesn’t work.
import sailpoint.object.*;
import sailpoint.object.ProvisioningPlan.AccountRequest;
import sailpoint.object.ProvisioningPlan.AccountRequest.Operation;
import sailpoint.object.ProvisioningPlan.AttributeRequest;
import sailpoint.object.ProvisioningPlan;
import sailpoint.object.ProvisioningPlan.Operation;

    List accountRequests = plan.getAccountRequests();
    if (accountRequests.isEmpty() ){
        throw new Exception("Account Request empty");
    }
 
    Identity identity = plan.getIdentity();
    String identityAttribute= identity.getAttribute("identityAttribute");
    String TYPE_USER = "ResGroup";

    if (accountRequests != null) {
        if (!identityAttribute.equals(TYPE_USER)){
            for (AccountRequest accountRequest : accountRequests) {
                accountRequest.remove(new AttributeRequest());
            }
        } 
    }
Any mistake i nthe rule ? Can this be achieved with a rule?

Any help would be greatly appreciated.

import sailpoint.object.Identity;
import sailpoint.object.ProvisioningPlan;
import sailpoint.object.ProvisioningPlan.AccountRequest;
import sailpoint.object.ProvisioningPlan.AttributeRequest;

List accountRequests = plan.getAccountRequests();
if (accountRequests == null || accountRequests.isEmpty()) {
    return; // Nothing to process
}

Identity identity = plan.getIdentity();
if (identity == null) {
    return;
}

String identityAttribute = String.valueOf(identity.getAttribute("identityAttribute")); // cast safely
String TYPE_USER = "ResGroup";

if (!TYPE_USER.equals(identityAttribute)) {
    for (AccountRequest accountRequest : accountRequests) {
        List<AttributeRequest> attrs = accountRequest.getAttributeRequests();
        if (attrs != null && !attrs.isEmpty()) {
            Iterator<AttributeRequest> iter = attrs.iterator();
            while (iter.hasNext()) {
                AttributeRequest attrReq = iter.next();
                
                // Example: Skip group-related attributes like "memberOf"
                if (!"memberOf".equalsIgnoreCase(attrReq.getName())) {
                    iter.remove(); // Remove all non-group attributes
                }
            }
        }
    }
}

fatimahm · July 2, 2025, 10:14am

@uditsahntl01 Thank you very much.