I have created a requestable bundle that has a provisioning form and provisions an attribute in an application.
The value rule of this attribute is:
When I add the role, the role and attribute are added correctly. However, when I remove the role, only the role is getting removed and not the attribute. What could be the issue?
Hi @ambuj96,
when you use a prov form you are sending some info to the target system. For appplication you can configure a form foreach operation but for the role you need to manage manually this part.
You can do that on the before prov. rule or using a FiledValue rule on the prov. form on the role.
Hi @ambuj96 ,
Yes, you are right. When you remove role or removed by SailPoint the values whatever you are provisioning values won’t be removed. It will simply removed from the plan. So for that you have to handle it explicitly using before provisioning rule, which means you have to check the attribute request if it is role remove request then add the remove those attribute requests and add it plan. So that plan will take to remove and remove those attributes in the target application.
I had similar use case. I handled like this below. Please find the solution in the below link for the code and procedure.
How do I set an attribute's value for the LDAP connector application at the time of account creation? - #12 by bhanuprakashkuruva
Hi @bhanuprakashkuruva and @enistri_devo
Thanks for your valuable suggestion. One quick thing: I tried to remove the role, but the flow did not revert to the provisioning rule before the role was removed directly. How can I remove the attribute in case of role removal then?
Plan for your reference
<ProvisioningPlan targetIntegration="IIQ" >
<AccountRequest application="IIQ" op="Modify" targetIntegration="IIQ">
<Attributes>
<Map>
<entry key="attachmentConfigList"/>
<entry key="attachments"/>
<entry key="flow" value="AccessRequest"/>
<entry key="id" value=""/>
<entry key="interface" value="LCM"/>
<entry key="operation" value="RoleRemove"/>
<entry key="provisioningTransactionId" value=""/>
</Map>
</Attributes>
<AttributeRequest assignmentId="" name="assignedRoles" op="Remove" value="Test attribute Role">
<Attributes>
<Map>
<entry key="comments" value="Test"/>
<entry key="deassignEntitlements">
<value>
<Boolean>true</Boolean>
</value>
</entry>
</Map>
</Attributes>
</AttributeRequest>
</AccountRequest>
<Attributes>
<Map>
<entry key="flow" value="AccessRequest"/>
<entry key="identityRequestId" value=""/>
<entry key="launcher" value=""/>
<entry key="requestType" value="CART REQUEST FEATURE"/>
<entry key="requester" value=""/>
<entry key="source" value="LCM"/>
</Map>
</Attributes>
</ProvisioningPlan>
You mean, while removing the role, it’s not coming to before provisioning rule?
If that is the case then you must have select the application in the details tab of role base provisioning policy form in the role. The only while doing any operation on the role, it will go to provisioning rules of the application.
Application is selected in Role provisioning policy . Still control did not move to before provisioning rule of the application.
No, it will definitely come. All we just have to run refresh task with provision assignment option enabled along refresh assigned and detected roles option. Could you please add log statements and check one more time? And see the logs how is it executing?
