Role Removal Issues

IdentityIQ (IIQ) IIQ Discussion and Questions
,
1

Which IIQ version are you inquiring about?

8.3sp2

Issue Summary

We are having issues with removing a role from code. We cannot build a ProvisioningPlan that will do the Remove Role function from the GUI in the Manage Access panel.

Can I have some example code of removing a role assignment? Since we haven’t been able to remove the business role, the aggregation and refresh will add everything back.

Possible Solution

I need a method to either make a provisioning plan with the right arguments or some magical identity function that can remove a certain assigned role.

Trouble Code

Here is something that I have tried, but it gave a general error when I added the context.commitTransaction()

  // I couldnt find a way to filter by application on the required role so I have to filter on the IT roles
  Application app = context.getObjectByName(Application.class, oracleAppName);
  List <Bundle> ITRoles = identity.getBundles(app);
  List <Bundle> RequestableRoles = identity.getAssignedRoles();

  //this was fun to figure out... I have to determine which required role to remove based on the IT required role that is assigned to it
  for(Bundle ITrole : ITRoles)
  {
    String ITroleName = ITrole.getFullName();

    for(Bundle RequestableRole : RequestableRoles)
    {
      String RequestableRoleName = RequestableRole.getFullName();

      List <Bundle> RequiredITRoles =  RequestableRole.getRequirements();
      for(Bundle RequiredITRole : RequiredITRoles)
      {
        String RequiredITRoleName = RequiredITRole.getFullName();
        
        if(RequiredITRoleName.equals(ITroleName))
        {
          identity.removeAssignedRole(RequestableRole);
        }
      }
    }
  }
  context.saveObject(identity);
  context.commitTransaction();
2

@acrumley pls check this link, hope that helps

Programmatic Assigned Roles Removal From Identity - Compass

How to remove (de-assign) a role from identity via the API - Compass

3

I used the removeAssignedRole() with context.saveObject(identity) and context.commitTransaction

However, in the next iteration, I get the following error:

while(linksIter.hasNext())
{
    Link link =  linksIter.next();
    Identity identity = link.getIdentity();  
// Do remove operation
removeRole(identity); // context.saveObject() is inside this function
}

Error output:

unknown error: null : at Line: 366 : in file: inline evaluation of: ``import org.apache.log4j.Logger; import org.apache.log4j.Level; import sailpoint. . . . '' : while ( linksIter .hasNext

It seems that my iterator becomes null when I do the commit transaction. I am having to iterate through many identities before I can close the rule. How do I avoid this error?

4

@acrumley i don’t see your complete code, may be you can post your complete code then will dig more.

but you see the samples from other user and fix.

Rule that removes negative = true from an identity - IdentityIQ (IIQ) / IIQ Discussion and Questions - SailPoint Developer Community

you can handle by plan also. no need to api method.
samples here : How to remove (de-assign) a role from identity via the API - Compass

5

Yes. These articles show why I was having issues with the context.commitTransaction()

I believe I have all I need to get this working now. Thanks!

6

@pravin_ranjan you are very good with searching this forum. What is your strategy? I use google, but that obviously hasn’t gotten the same results you have. Thanks!

1 Like
7

thanks Alex, normally I narrow down search by simple word in compass. I am still learner even i spent 20 years in IGA.

1 Like