SailPoint IIQ Rapid Setup Leaver Exception Entitlement filter (for whole type of entitlements)

IdentityIQ (IIQ) IIQ Community Knowledge Base
1

Hi All,

In this document I am going to talk and provide a solution for one of the issues that is usually faced by many people. You can achieve it in different ways if you want. But I am giving the best and easiest way to solve it. I hope SailPoint will also provide a solution for this in the future.

Problem Statement:

We have certain applications that contain different group object types (like for Okta, we have groups, applications, and roles). When we configure Leaver in Rapid setup for the application, it means when the leaver is triggered, disable the account along with remove entitlements. In the Entitlement Exception we have the option to exclude entitlements with equals, starts with, ends with, or contains as follows. What if I want to exclude one type of all entitlements? like I want to exclude the applications to remove while the leaver event is triggering? What to do?

image
image2835×938 154 KB

Solution:

As of now, we do not have any ready-made solution at the moment. But for the time being we can do one thing to exclude the applications type of entitlements (maybe in your case the type is different). So what we can do is. We can check if the user is disabled and remove applications from the user in the before provisioning rule of the application. If that is the case, then remove those attribute requests from the account request. So that while removing the groups, SailPoint won’t remove those application types.

For this we have to write a logic that removes those AttributeRequests from the AccountRequest as follows.

  import sailpoint.api.SailPointContext;
  import sailpoint.object.Identity;
  import sailpoint.object.ProvisioningPlan;
  import sailpoint.object.ProvisioningPlan.AccountRequest;
  import sailpoint.object.ProvisioningPlan.AttributeRequest;
  import sailpoint.object.ProvisioningPlan.ObjectOperation;
  import sailpoint.object.ProvisioningPlan.Operation;
 
  try {

    log.error("Entering into Okta before provisioning rule: ");

    log.error("The plan is: \n" + plan.toXml());

    List listAttrReqOps = new ArrayList();

    List accRequests = plan.getAccountRequests( application.getName() );

    for ( AccountRequest accReq : accRequests )
    {
      //Checking if it is Disable request or not. if yes, then remove application remove request since we are getting error
      if ( accReq.getOp() == ObjectOperation.Disable )
      {
        if( null != accReq.getAttributeRequests("applications") ) //in your case type might be difference
        {
          List listOfAppsRemoveReqs = accReq.getAttributeRequests("applications");

          for(AttributeRequest attrReqAppsRemove : listOfAppsRemoveReqs)
          {
            accReq.remove(attrReqAppsRemove);
          }
        }
      }

    }

    log.error("The Plan after edits is: \n"+plan.toXml());
    log.error("Exiting from Okta before provisioning rule: ");

  } catch (Exception e) {
    System.err.println("Exception occured at: "+e);
  }

I hope this will be useful and solve your problem if you encounter such an issue.

Thank you!

2 Likes