I hope someone had the next use case with the IIQ and can help me with the next question.
We want to use the following workflow in our environment for the Mover Lifecycle Event: 1. After the event is triggered, all user roles should be removed → 2. All user entitlements should be removed → 3. The new entitlements should be added based on the Joiner process and the mapping rules in the roles.
There is no problem with steps 1 and 3, but I don’t know how to remove all of the user’s permissions.
I’ve tried the following code, based on the snippet from the Compass community, and there are no errors, it just does nothing
Identity identity = context.getObjectByName(Identity.class, identityName);
List links = identity.getLinks();
for (Link link : links)
{
String idName=link.getNativeIdentity();
String appname=link.getApplicationName();
ProvisioningPlan plan = new ProvisioningPlan();
plan.setIdentity(identity);
plan.setNativeIdentity(idName);
AccountRequest accountRequest = new AccountRequest();
accountRequest.setApplication(appname);
accountRequest.setOperation(AccountRequest.Operation.Modify);
Filter filter1 = Filter.eq("application.name",appname);
Filter filter2 = Filter.eq("identity.name", idName);
Filter filter = Filter.and(filter1, filter2);
QueryOptions qo = new QueryOptions();
qo.addFilter(filter);
Iterator it = context.search(IdentityEntitlement.class, qo);
if (it.hasNext()) {
while (it.hasNext()) {
IdentityEntitlement idEntitlement = it.next();
if (accountRequest.getNativeIdentity() == null) {
}
accountRequest.add(new AttributeRequest(idEntitlement.getName(), ProvisioningPlan.Operation.Remove, idEntitlement.getValue()));
}
}
plan.add(accountRequest);
String assigner="spadmin";
// Fire off the plan to the Provisioner to execute:
Provisioner provisioner = new Provisioner(context);
provisioner.setAssigner(idName); // String of Identity making the change.
provisioner.compile(plan);
provisioner.execute();
}
So if anyone has had the same problem, or knows how to deal with it, I’d love to hear from you.
When roles are removed, the associated entitlements are also removed from the user. However, if the “Retain assigned entitlements when roles are removed” option is enabled, the entitlements will not be removed.
Please check this option. Gear Icon —> Global Settings —> IdentityIQ Settings —> Roles tab.
This option is enabled and all the entitlements that are associated with the assigned roles are removed on the 1st step. The problem is that on the 2nd step we want to remove all of the detected roles and as I’ve read on the community dicussions the only way to remove them is to revoke the entitlement.
I’ll try to add the native identity to the account request, thanks.
I added the accountRequest.setNativeIdentity(idName); as Arun suggested, but it didn’t help.
I’ve also added the plan.toXml() for logging. But after the "Provisioning Plan XML: " there is not much I can understand. As I see there are 4 different plans for some of the connected applications.
I’ve changed some of the data to “*****” and some of it is corrupted because of using the cyrrylic symbols.
I noticed that the ‘attribute requests’ are not present inside the account requests. Could you please confirm if the iteration is occurring and whether the outgoing plan includes the attribute request? Perhaps you can add loggers inside while loop and check.
