SAP GRC - Access Management Integration mode - Identity attribute inactive = true then disable all SAP GRC Systems

irappahosamani · June 6, 2024, 2:45pm

Which IIQ version are you inquiring about?

Version 8.4

Share all details related to your problem, including any error messages you may have received.

We have requirement to disable all SAP systems when identity is disabled in IIQ, I’m trying with attribute sync option and setting up “Valid To” account attribute in transformation rule and setting account request operation from modify to disable in before prov rule…

Questions
Do we need to set “Valid To” attribute or Status attribute of the SAP GRC account
How do we set multiple values for “Valid To” or “Status” in case identity have associated with multiple systems connected in SAP GRC account
Any sample code for both transformation rule and before provisioning rule

Thank you

Vb_Bellamkonda · June 7, 2024, 10:44am

Hi @irappahosamani,
You always have the option to use the “IIQDisabled” approach in a Customization rule for a connector if you need site-specific behavior, or do not want to leverage the functionality compiled into the connector.
Ex: `import org.apache.log4j.Logger;

import org.apache.log4j.Level;

// Declare a logger class for us to isolate these messages during aggregation.

Logger log = Logger.getLogger(“sailpoint.services.ldapCustomizationTest”);

log.setLevel((Level) Level.DEBUG); // TODO: Remove debug logging in production use.

String acctName = object.getIdentity();

// If job title has been populated with “TERMINATED” set the account to disabled.

String titleString = object.getAttribute(“title”);

if ( (null != titleString) && (0 != titleString.length()) ) {

if (“TERMINATED”.equalsIgnoreCase(titleString)) {

  object.put("IIQDisabled", true);

  log.debug("The 'title' set to terminated on [" + acctName + "], marking IIQDisabled as true.");

}

} else {

log.debug(“No ‘title’ field populated on [” + acctName + “], assuming active account.”);

}

return object;`

For Furhter details refer these : Understanding active and inactive accounts and identities: IIQDisabled - Compass (sailpoint.com)

system · August 6, 2024, 10:44am

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
SAP GRC - Access Management integration : Update provisioning policy vs attribute sync IIQ Discussion and Questions identityiq	5	151	July 16, 2024
SAP GRC - Access management integration mode - IdentityIQ unable to poll the status of the request from GRC IIQ Discussion and Questions identityiq	7	195	June 19, 2024
SAP GRC System Attribute IdentityIQ (IIQ)	0	1248	April 18, 2022
SAP GRC Valid From attribute issue ISC Discussion and Questions identity-security-cloud , provisioning	2	21	October 17, 2024
Account attribute to disable for SAP Direct Connector ISC Discussion and Questions identity-security-cloud , connectors	7	88	October 5, 2024

SAP GRC - Access Management Integration mode - Identity attribute inactive = true then disable all SAP GRC Systems

Which IIQ version are you inquiring about?

Share all details related to your problem, including any error messages you may have received.

Related topics