For JDBC Disable Operation, I would need to insert a new row with all the access values to be disabled into the respective columns in the database table. Can I have some input on how to retrieve the account attributes in JDBC Provision Connector Rule?
It seems that it will be a null value from the attribute request (attrReq) from account request for disabled operation, which is what we have tested in JDBC Provision Connector Rule:
For Disable operation, by default your entitlements are not part of the plan to be removed, you would see only an account request with Disable operation. Hence, your code is returning null. Since JDBC Provisioning rule is a connector rule, you might not have the identity data as well to get the required information. One workaround you can try is to get the user access information from the database and process them to be removed by inserting into the new table.
Thanks for the input. Let’s say we also have some other account attributes (copied from identity attribute and not entitlements) to be inserted in the row during the disable operation, is there a way to insert these account attributes to the account request for JDBC connector?
Or a way to retrieve account attributes, let’s say using a before provisioning rule?
You could leverage the Disable provisioning policy in this scenario. Add whatever attributes you require in the policy and they should be automatically added to your plan.
Thank you very much for the advice. We have updated the provisioning policy with DISABLED as the usageType via V3 API, however it seems that it is still inserting null, after double checking the accuracy of the spellings of the account and identity attributes and updating on the correct source. Is there any extra step that we might miss here?
I have included the example code and config we have done as follows to show a clearer picture.
We manage to only insert the native identity at the first column “id”, but null for the rest of the values (which we have added into the provisioning policy).
Just to confirm, do you mean that even the account attributes to be inserted in the DB table exists in the account schema, I will still need write a Before Provisioning Rule as follows to get the attribute retrieved from the identity, and add it to the Provision Plan using the attributes name specified in the JDBC source account schema?
We are trying to see all the possibilities since if it is possible to do via V3 API by updating the disable provisioning policy, then we would not write the cloud rule for review and deployment.
The code which I understand from your input is as follows:
if (op.equals(AccountRequest.Operation.Disable)) {
accountRequest.add(new AttributeRequest(
"account_attribute_a",
ProvisioningPlan.Operation.Set,
identity.getAttribute("identityAttrA"))
);
}
where account_attribute_a is the attribute name specified in the JDBC source account schema.
Do correct me if I understand wrongly, thank you very much!
Sorry I misread your earlier post and thought you wanted to update the DB table with values from identity attributes.
If what you want to insert are account attributes and they have been specified under “Create Profile” Policy, then they will be automatically included in the ProvPlan during “Create Account” Operation only. They will not be included in the ProvPlan in other cases (of course with the exception of “Update” operation where changed account attributes will be included provided they are assigned Identity Attributes in the ProvPolicy and checked to be included in Account Sync)
In your case, where account is being disabled, you may have to use Link object to get the specific account and get the necessary attributes to be added to the provision plan. This has to be done in Cloud rule as you cannot access Link in Connector rule (at least to my best knowledge). Once they are included in the ProvPlan you can read them in the Connector Rule using standard Account Request > Attribute Request > Attribute Value relationship, and then assign each of them to a variable and then use in your SQL query.
We have deployed the before provisioning rule and my team is currently doing testing on this. Will definitely update once it is tested, thank you very much for your advice!
Hi Nithesh,
Update from our findings, we try deployed the before provisioning rule using the Link object, it is working for those with account attributes which are already populated in the Create Account Policy, but null values for attributes that aren’t. For those cases, we handle it by retrieving directly from the identity attribute in the Before Provisioning Rule as suggested as well, and they are working fine now, thank you for the input!