Removing Attribute Request from Cloud Before Provisioning Rule

Identity Security Cloud (ISC) ISC Discussion and Questions
, ,
1

Hello,

I have a requirement, if the Identity Attribute type is “ABC” then restrict the role assignment by provisioning/ deprovisioning roles.

I’m using using cloud based before provisioning rule to remove the attribute request from the plan so that role or access won’t be added or removed. Below is the reference code.

List accountRequests = plan.getAccountRequests();
  for( AccountRequest accountRequest: accountRequests ){
    if( accountRequest.getOperation().toString().equals("Modify") ){
      log.error("Modify Operation Started" );
      if (accountRequest.getAttributeRequests() != null) {  
        AttributeRequest oGAttrReq = accountRequest.getAttributeRequest("orgGroup");
        if (type != null @and type.equalsIgnoreCase("ABC")) {
            accountRequest.remove(oGAttrReq);
            continue;
        }
      } 
    }
  }

Above logic is not working. When an Identity satisfies the role criteria. Please assist me if there is anything wrong here

2

Hey Deepak, the issue here is that this is being handled too late in the flow.

A Before Provisioning rule edits the provisioning plan before it goes to the source, but it does not stop the identity from qualifying for the automated role. If the identity still meets the role criteria, ISC will keep treating that role as assigned and can regenerate the provisioning on the next identity processing run. So even if the rule removes the attribute request today, it may come back tomorrow.

The cleaner fix would be to add the exclusion condition directly to the role assignment criteria:

Identity Attribute: type   Does Not Equal   ABC

Then run Apply Changes or let identity processing recalculate. That is the right control point for blocking automated role assignment rather than trying to intercept it mid-provisioning. More on that here.

That said, there are also a few issues in the rule itself worth fixing:

  1. identity is not a direct context variable in a cloud Before Provisioning rule. You would need to pull it from the plan instead. (ref)

  2. orgAttrReq is declared but oGAttrReq is passed to remove(), looks like a typo there.

  3. orgAttrReq should be null-checked before removing, since orgGroup may not be present in every plan that comes through.

If you still want to keep the rule as a last-mile guardrail alongside the criteria fix, something like this should work:

import sailpoint.object.Identity;
import sailpoint.object.ProvisioningPlan.AccountRequest;
import sailpoint.object.ProvisioningPlan.AttributeRequest;

Identity identity = plan.getIdentity();
String type = identity != null ? (String) identity.getAttribute("yourAttributeName") : null;

List accountRequests = plan.getAccountRequests();

if (accountRequests != null && "ABC".equalsIgnoreCase(type)) {
    for (AccountRequest accountRequest : accountRequests) {
        if (accountRequest != null &&
            accountRequest.getOperation() != null &&
            "Modify".equalsIgnoreCase(accountRequest.getOperation().toString())) {

            AttributeRequest orgAttrReq = accountRequest.getAttributeRequest("orgGroup");

            if (orgAttrReq != null) {
                accountRequest.remove(orgAttrReq);
            }
        }
    }
}

Replace "yourAttributeName" with the actual identity attribute name for your type field.

3

Hi @vemadeepak ,

Is this applicable only for “Modify” account operation or Create operation also

Please make sure Attribute name is “orgGroup”.

Code is not checking null condition specifically for any attribute request “orgGroup”.

Code is trying to remove “oGAttrReq” but attribute request variable name is “orgAttrReq”

4

thank you for your response, since this is just a reference code. I just made some changes to the original code before pasting it here.

And code is working as expected without having any issues. I was checking the results in a wrong way.