Share all details about your problem, including any error messages you may have received.
We are trying to get the role name which was revoked during certification. What we are trying to do is the Role-based certification for an application. After revoking the role for an account/identity, the plan generated do not have any information on the role except the account request has the entitlements associated with the role.
Just to give little more information on our use case:
We have application integrated using DelimitedFile connector. We have defined business role and IT roles to enable the role based access requests for the given application. We have added application entry to the IdentityIQ for ServiceNow service desk application to be able to generate the SNOW tickets on various transactions.
Now, when we perform the revoke action on the user’s business role during certification, we want to pass the role name as well in the service now ticket. However, issue is that we do not get to see the role name in the provisioning plan that is received at the IdentityIQ for ServiceNow service desk application.
Please share if you have any pointer on how we can we retrieve the role name which was revoked in the after provisioning rule of IdentityIQ for ServiceNow service desk application.
This sounds correct.
The Role only lives on IIQ level and entitlements live in the target application. So when you revoke the role it is removed locally in IIQ and only job left to do is to remove the entitlements from the target application in your case using SNOW ticket.
Did I misunderstood your setup?
Why do you need to know the Role name in SNO to remove entitlements?
As @aleksander_jachowicz pointed out, this is expected behaviour in IIQ. When a business role is revoked during certification, IIQ breaks it down into its entitlements and includes only those in the provisioning plan sent to the target system or integration… Since roles are internal to IIQ, they don’t get passed directly to systems like SNow.
If your goal is to include the original role name in the ServiceNow ticket—for audit, traceability, or any business-specific reason, there’s a possible workaround using the PlanInitializerScript, which allows you to modify the provisioning plan before it’s sent.
Here’s one possible approach:
A. Capture the revoked role name using a CertificationPostProcessorRule, and temporarily store it in a custom storage/location… such as an identity attribute, Internal IIQ DB custom table, or even a custom object.
B. In the PlanInitializerScript (within the IdentityIQforServiceNowServiceDesk.xml), inject this value into the provisioning plan, for example in the “description” field or another custom field your ServiceNow team can handle and display.
This way, you should (theoretically) be able to pass the role context even though it’s not part of the default plan.
Just to clarify—I haven’t encountered this exact use case before, but we’ve made similar enhancements by adding a lot of info related to identity and group-related criteria to tickets via custom fields… I’m sharing this as a thought process, and perhaps others in the community might offer more refined or alternative ideas.