Set provisioning plan to null

I am trying to come up with a before provisioning rule that if a user’s Identity Attribute equals a value, IDN should not add/remove any entitlements from the user. A typical scenario is a user already has a role, but when this condition is met they will be removed from the role but their access should be maintained. Also no other attributes should be updated.

Would the below work?

if ("contractor".equals(identity.getAttribute("jobTitle"))) { 
  // Set Plan/Account Request to null
  plan.setAccountRequests(null);
}
1 Like

Hi Edward,

Modifying the provisioning plan in this way seems like it might have unintended consequences. Just looking at it without any additional context suggests that when an identity becomes a “contractor”, you can no longer add or remove entitlements from their account. This sounds like it could lead to trouble in the event you do need to remove access from their account, or grant them additional access later. This effectively means IdentityNow can no longer manage the access of contractors.

Rather than using a beforeProvisioning rule, have you looked into modifying the membership criteria of the role(s) in question so that a jobTitle change does not remove their membership to the role?

1 Like

The condition above was an example, but the scenario we have is an Admin discovers that a user is an exception and wants to manually exclude them from being handled by IDN. This condition will also be on all of the related roles but they want to leave the access as is once that exception flag is put in place.

Updated example:

if ("exception".equals(identity.getAttribute("idnExceptionFlag"))) { 
  // Set Plan/Account Request to null
  plan.setAccountRequests(null);
}

To follow up, adding this to the beginning of our existing BeforeProvisioning rule made it so entitlements were not added/removed.

Relevant Role Criteria was also updated to include Identity Attribute "idnExceptionFlag" Does Not Equal "exception"

if ("exception".equals(identity.getAttribute("idnExceptionFlag"))) { 
  // Set Plan/Account Request to null
  plan.setAccountRequests(null);
  return null
}