Unsure
I need to Create a rule to fetch users that are part of that role (any role in the server which has multiple users) and then deprovision that role from the user.
tried using task definition as well as generic rule but does not seem to work. Any help with the code is appreciated. thanks!
Hi @AryanPatil,
what do you need help with? do you have some problem with your code?
Yes wanted help with my code to create this rule @enistri_devo
can you post your code, so we can help with it?
You can create a “ProvisioningPlan” to remove a role from a user. However, if you provide the your rule or task, we can assist you accordingly.
<
<Rule name="RemoveTESTROLEAPRoleRule" type="Generic">
<Description>
rule finds all identities assigned the role 'TESTROLEAP' and deprovisions that role from each.
</Description>
<Source>
import sailpoint.api.SailPointContext;
import sailpoint.object.Identity;
import sailpoint.object.RoleAssignment;
import sailpoint.object.Filter;
import sailpoint.object.QueryOptions;
import sailpoint.api.IdentityService;
import java.util.*;
// Get context from rule arguments
SailPointContext context = (SailPointContext) ruleContext.get("context");
String targetRoleName = "TESTROLEAP";
log.info("Starting deprovisioning of role: " + targetRoleName);
// Search for identities that have this role assigned
Filter roleFilter = Filter.eq("assignedRoles.name", targetRoleName);
QueryOptions qo = new QueryOptions();
qo.addFilter(roleFilter);
List<Identity> identitiesWithRole = context.getObjects(Identity.class, qo);
if (identitiesWithRole == null || identitiesWithRole.isEmpty()) {
log.info("No identities found with role: " + targetRoleName);
return null;
}
for (Identity identity : identitiesWithRole) {
log.info("Processing identity: " + identity.getName());
boolean roleFound = false;
List<RoleAssignment> assignments = identity.getRoleAssignments();
if (assignments != null) {
Iterator<RoleAssignment> iter = assignments.iterator();
while (iter.hasNext()) {
RoleAssignment assignment = iter.next();
if (assignment != null && targetRoleName.equals(assignment.getRoleName())) {
iter.remove(); // remove the role assignment
roleFound = true;
log.info("Removed role assignment for: " + identity.getName());
}
}
if (roleFound) {
// Save updated identity with role removed
context.saveObject(identity);
context.commitTransaction();
log.info("Updated identity saved: " + identity.getName());
} else {
log.info("Role not found in assignments for: " + identity.getName());
}
}
}
log.info("Completed deprovisioning for role: " + targetRoleName);
return null;
</Source>
</Rule
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE TaskDefinition PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<TaskDefinition created="1750051520642" id="0a3f0c1c97401ce08197773008021" name="CRemoveTESTROLEAPRoleRule" resultAction="Delete" subType="task_item_type_generic" type="Generic">
<Attributes>
<Map>
<entry key="TaskSchedule.host"/>
<entry key="ruleName" value="RemoveTESTROLEAPRoleRule"/>
<entry key="taskCompletionEmailNotify" value="Disabled"/>
<entry key="taskCompletionEmailRecipients"/>
<entry key="taskCompletionEmailTemplate"/>
</Map>
</Attributes>
<Description>This Rule Runner task will execute “RemoveTESTROLEAPRoleRule” rule. </Description>
<Owner>
<Reference class="sailpoint.object.Identity" id="0a3f0c1c96f31f078196f4aa3b303e2" name="C72688"/>
</Owner>
<Parent>
<Reference class="sailpoint.object.TaskDefinition" id="0a3f0c1c8bf31478818b305d3a01d9" name="Run Rule"/>
</Parent>
</TaskDefinition>
It is still not working. Do you think you could write the part I’m doing wrong?
<Rule name="RemoveTESTROLEAPRoleRule" type="Generic">
<Description>
This rule finds all identities assigned the role 'TESTROLEAP', removes that role assignment properly
by updating the identity's RoleAssignment list, and saves the identity with transaction control.
</Description>
<Source>
import sailpoint.api.SailPointContext;
import sailpoint.object.Identity;
import sailpoint.object.RoleAssignment;
import sailpoint.object.Filter;
import sailpoint.object.QueryOptions;
import java.util.*;
SailPointContext context = (SailPointContext) ruleContext.get("context");
String targetRoleName = "TESTROLEAP";
log.info("Starting deprovisioning of role: " + targetRoleName);
Filter roleFilter = Filter.eq("assignedRoles.name", targetRoleName);
QueryOptions qo = new QueryOptions();
qo.addFilter(roleFilter);
List identitiesWithRole = context.getObjects(Identity.class, qo);
if (identitiesWithRole == null || identitiesWithRole.isEmpty()) {
log.info("No identities found with role: " + targetRoleName);
return null;
}
for (Object obj : identitiesWithRole) {
Identity identity = (Identity) obj;
log.info("Processing identity: " + identity.getName());
List originalAssignments = identity.getRoleAssignments();
List updatedAssignments = new ArrayList();
boolean roleFound = false;
if (originalAssignments != null) {
for (Object item : originalAssignments) {
RoleAssignment assignment = (RoleAssignment) item;
if (assignment != null && targetRoleName.equals(assignment.getRoleName())) {
log.info("Removing role assignment from identity: " + identity.getName());
roleFound = true;
} else {
updatedAssignments.add(assignment);
}
}
if (roleFound) {
identity.setRoleAssignments(updatedAssignments); // Update identity with new assignment list
try {
context.saveObject(identity);
context.commitTransaction();
log.info("Updated and saved identity: " + identity.getName());
} catch (Exception e) {
log.error("Failed to save identity: " + identity.getName(), e);
context.rollbackTransaction();
}
} else {
log.info("Role not found in assignments for identity: " + identity.getName());
}
}
}
log.info("Completed deprovisioning for role: " + targetRoleName);
return null;
</Source>
</Rule>
try with identity.remove(Bundle)