Role Assigment Dates

Which IIQ version are you inquiring about?

Version 8.4

Please share any images or screenshots, if relevant.

Share all details related to your problem, including any error messages you may have received.

Hi and Hello,
I have problem with my workflow (one step). My workflow start livecycle event, change attribute. On one step it is deleting old roles. I would like to add possiblity for menager to choose data when it should be delete no always when is acceptance. To have this icon on form I need to add some date in code and this could be a problem. I have icon on form, I see a change( menager can change data). After workflow is end on identity I see only previos data from code not from form which choose manager.
Maybe somebody can help with that?

I put my step and screens.

Build Provisioning Plan

import sailpoint.object.ProvisioningPlan;
import sailpoint.object.ProvisioningProject;
import sailpoint.object.ProvisioningPlan.AccountRequest;
import sailpoint.object.Identity;
import sailpoint.object.Bundle;
import java.util.Date;
import java.sql.Timestamp;
import java.util.List;

import org.apache.log4j.Logger;

                Logger log = Logger.getLogger("iiq.development");
                log.debug("--------------------Step Build Provisioning Plan Mover Start--------------------------------");

                Identity identity = context.getObjectByName(Identity.class, identityName);
                log.debug("Start building a quota plan for an identity: " + identityName);

                ProvisioningPlan plan = new ProvisioningPlan();


                log.debug("Plan----------> " + plan.toXml());

                log.debug("Retrieving the list of roles to remove from the previous step");
                List foundRoles = (List) workflow.get("foundRoles");
                log.debug("Number of roles to remove: " + (foundRoles != null ? foundRoles.size() : "The role list is null."));

                if (foundRoles != null && !foundRoles.isEmpty()) {
                    AccountRequest accRequest = new AccountRequest();
    Map attributes = accRequest.getArguments();
    if(attributes == null)  {
    attributes = new HashMap();
    accRequest.put("startDate",new Date(new Timestamp(1714428000000L).getTime()));
    accRequest.put("endDate", new Date(new Timestamp(1750000000000L).getTime()));

for (String role : foundRoles) {

AttributeRequest attr= new AttributeRequest(“assignedRoles”,ProvisioningPlan.Operation.Remove, role);
attr.put(“addDate”, new Date(new Timestamp(1714428000000L).getTime()));

    attr.put("removeDate", new Date(new Timestamp(1750000000000L).getTime()));
                        log.debug("Add role to remove: " + role);
                } else {
                    log.debug("There are no roles to remove.");

                log.debug("The assignment plan was built for " + identityName + ".");
                log.debug("Plan----------> " + plan.toXml());
                log.debug("--------------------Step Build Provisioning Plan Mover End--------------------------------");
                return plan;


1 Like

Hi Adam,

There are a few posts on Compass for the same. For instance:
How to Update Sunset Date in a Task

It might be a better idea to look at: KOGIT Access Request Extension or contact @mike818148 for information on the plugin :slight_smile:

– Remold


Hello @AdamVentum,

Here is an example, I used in my code to construct a ProvisioningPlan with Start/End Dates:

ProvisioningPlan plan = new ProvisioningPlan();
ProvisioningPlan.AccountRequest accReq = new ProvisioningPlan.AccountRequest(ProvisioningPlan.AccountRequest.Operation.Modify, ProvisioningPlan.APP_IIQ, null, null);
AttributeRequest addAttReq = new AttributeRequest(ProvisioningPlan.ATT_IIQ_ASSIGNED_ROLES, ProvisioningPlan.Operation.Add, roleName, ProvisioningPlan.ASSIGNMENT_ID_NEW);                                                       

As you might noticed, the start/end date is set on AttributeRequest object by using functions: setAddDate() and setRemoveDate() instead of AccountRequest.

In addition, the KOGIT Access Request Extension is a Freeware Plugin, which you can use it to customize Manage User Access GUI with additional checkings (e.g. mandatory Start/End dates, validate Start/End dates). You can request from my company, and can also ask question on the community to me.

ps. Thanks @Remold for pointing me here :wink:


Thank you @Remold and @mike818148. I will check this at this week.


1 Like

Hi and Hello,

Unfortunately, I was unable to add a date. So I changed my assumptions. I created a “Certification Event”. Just like the workflow is started by changing an attribute. In it, I created a rule for adding roles. With the certification, I took away my old authorizations and roles. I even added an Exclusion rule. All emails to managers about the start of certification, notifications and the end of the campaign have been sent. And most importantly, I can choose the date!
Somehow I didn’t use certification very often before, but now I know that quite a lot can be achieved in this topic. I will try to add “IIQ show and tell” a little more information in some time :wink:

Thank you @Remold and @mike818148 Thanks to you, I explored the topic.