Retaining Roles for the users even if the Assignment Criteria doesn't satisfy

IdentityIQ (IIQ) IIQ Discussion and Questions
,
1

Hi Experts

I have a scenario where for some particular scenario I don’t want Role membership to be removed from the users even if the assignment criteria doesn’t satisfy , we do have around 6k roles, so apart from updating the role assignment condition is there any better approach to do this

Note - As I said it in only under a particular scenario so in other cases my Role removal should work

2

Hi @sathishiam

Welcome to SailPoint Developer Community.

I was thinking about this requirement, I don’t think there are straight answers for this.

You can apply some magic here

I believe you are Referring Business Roles here with Assignment logic.

In Assignment logic, along with your criteria add an OR condition as if user has this Role already then return true, as long as assignment is true Role will not be removed.

Cheers
Krish

2 Likes
4

@MVKR7T

thanks a lot for the response, Yes as mentioned in my post I have this as last option because my existing conditions on roles are not straight forward there are multiple attribute conditions , filters , rules etc. on these rules and my condition for not to remove I have to update accordingly for each role because that current condition is again based on existing conditions plus a new attribute.

So instead of having this looking if any other option is available, if no option seems available I may end up with this one.

5

Trust me, this is the best approach as less/no coding and no impact on other implementations.

Alternative is, you can manipulate the plan either in Before Provisioning Rule of all the applications or in LCM Provisioning.

  • Maintain all the Roles in a custom object which you need to retain
  • If it is a lot of Roles then at least you should have some Role contains/startsWith
  • In your LCM Provisioning check if any of these Roles are in plan with remove operation then remove them from the plan.

OOTB approach

  • When this Assignment Rule in Business Role executes ? When Refresh Task gets executed with option Refresh Assigned and Detected Roles
  • You should disable this option in your OOTB refresh task, but it will impact other Business Roles
  • You need to do some research here if any possibility

You can filter which all Identities should be refreshed but not Roles. It is not Refresh Role task rite.

Cheers
Krish

6

Hi @sathishiam
I might have a way to achieve this, but not sure how much helpful it would be for you.

  1. Create a role attribute “conditionalProv” and select the type as “Rule”. You can write a rule to assign a default value for the attribute in each role.

    image
    image1006×337 8.09 KB
    .

  2. In LCM provisioning workflow, use that attribute to conclude whether to process role deprovisioning or not.

Thanks.

7

@soswain_resmed
thanks for the response, but again my requirement here is not to remove the role only during a particular life cycle event condition and the role list is not a handy set of roles and doesn’t have specific naming conditions to do , that’s the challenge , anyhow thanks for the response here, really appreciate.

8

I think the big question is: what about this scenario/event is removing the role?
Are Identity attributes changing (is that the reason the role would get removed).

If so, at what point do you want the dynamic assignment to start working again? What changes to re-enable that function?

If this is just a matter of ‘during this particular refresh → perform maintenance don’t process role removals’, then the simplest option would be to update the refresh task to remove the option to ‘Refresh assigned, detected roles and promote additional entitlements’

9

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.