Share all details about your problem, including any error messages you may have received.
Hello all, so our requirement is to have sunrise and sunset for all entitlement(group object) of a particular application. so to achieve this we have added below tags inside attribute request of plan using before provisioning rule just for testing purpose if it works:
The testing code snippet that we have written in before provisioning rule is below:
List accountRequestTs = plan.getAccountRequests();
if(null!=accountRequestTs && accountRequestTs.size() > 0){
for(AccountRequest accountRequestT1:accountRequestTs){
List attributeRequestTList = accountRequestT1.getAttributeRequests();
if(null!=attributeRequestTList && !attributeRequestTList.isEmpty()){
for(AttributeRequest attributeRequestT : attributeRequestTList){
Date now = new Date();
long fiveMinutesInMillis = 5 * 60 * 1000;
long tenMinutesInMillis = 10 * 60 * 1000;
Date newDate = new Date(now.getTime() + fiveMinutesInMillis);
Date removeDate = new Date(now.getTime() + tenMinutesInMillis);
attributeRequestT.setAddDate(newDate);
attributeRequestT.setRemoveDate(removeDate);
attributeRequestT.setAssignment(true);
}
}
}
}
the access request is getting generated successfully with tag startDate and endDate as attached the screenshot above, however, it is not behaving as expected it is getting provisioned immediately once manager approve the access request and as per the endDate it is not getting de-provisioned infact it is never getting de-provisioned automatically as per the endDate.
Can anyone help us to achieve this?
Thanks in advance.
Can you try this modification in the workflow itself with condition that only change it for a given application.
This is because you provisioning is already being triggered and then you are trying to add this date .But ideally this entire provisioning should start only after a given date.
Let me know if I am missing anything in the use-case.
Hi @ashutosh08 Thank you for your reply now sunrise and sunset is working however when we are trying to set attributes on plan using .put() method on lcm workflow level, the attributes is not getting reflected in before provisioning rule:
plan from lcm workflow screenshot:
code snippet used in workflow level to add sunrise and sunset and attributes:
for(AttributeRequest attributeRequestT : attributeRequestTList){
Date now = new Date();
long twoMinutesInMillis = 5 * 60 * 1000;
long sixMinutesInMillis = 10 * 60 * 1000;
Date newDate = new Date(now.getTime() + twoMinutesInMillis);
Date removeDate = new Date(now.getTime() + sixMinutesInMillis);
attributeRequestT.setAddDate(newDate);
attributeRequestT.setRemoveDate(removeDate);
attributeRequestT.setAssignment(true);
attributeRequestT.put("skill","5");
}
plan.put("roleType","Agent");
Is there any way we can retain this attributes (eg., skill, roleType from above code snippet) in before provisioning level?
Can you share the step where you are modifying the plan also how you are modifying the workflow variable “plan”. Please help with some insight so that I will be able to help you.
We are modifying the plan in LCM OOTB Workflow before Initialize step.
and in modification we are adding extra attributes inside attribute request and in plan. but as told in before provisioning rule of a application the extra attributes is not coming in plan as we seen in logs.
I am just trying to understand how you are setting the variable because even after modification if the plan is not properly set then it will not be passed in the entire workflow.
So, if possible, kindly help me with the sample step script by which you are modifying the plan.
We had added a step called Update plan before Initialization step in LCM Workflow and below is the script:
```
...
plan.put("roleType","Agent");
List accountRequestTs = plan.getAccountRequests();
if(null!=accountRequestTs && accountRequestTs.size() > 0){
for(AccountRequest accountRequestT1:accountRequestTs){
List attributeRequestTList = accountRequestT1.getAttributeRequests();
if(null!=attributeRequestTList && !attributeRequestTList.isEmpty()){
for(AttributeRequest attributeRequestT : attributeRequestTList){
Date now = new Date();
long twoMinutesInMillis = 5 * 60 * 1000;
long sixMinutesInMillis = 10 * 60 * 1000;
Date newDate = new Date(now.getTime() + twoMinutesInMillis);
Date removeDate = new Date(now.getTime() + sixMinutesInMillis);
Attributes args = new Attributes();
args.putClean("assignment", new Boolean(true));
args.putClean("addDate", newDate);
args.putClean("removeDate", removeDate);
args.putClean("skill1", "1");
args.putClean("skill2", "2");
attributeRequestT.setArguments(args);
}
}
}
}
logger.debug("AW_Script_LCM_Provisioning_Custom_Workflow: updated plan sunrise : "+plan.toXml()); ----(this is the end line of the script)
```
as told already extra attribute skill1 and skill2 and roleType is not coming in before provisioning rule of the requested application during sunrise(startDate) only removeDate and assignment is coming as we can see the logs also.
My ask is whether your step is returning the plan from step as result variable, or you are manually updating workflow variable. You can try below snippet to set the plan after changing plan.
wfcontext.setVariable("plan",plan);
Also, if possible, please try to create a new plan rather than modifying the old one after coping account and attribute request from old plan.
I’m facing a similar challenge regarding the sunset date for a specific entitlement on an application. In our use case, we are looking to auto-deprovision an entitlement after a set number of days. Has anyone tackled this and could share some insights or best practices? Any guidance would be greatly appreciated. Thanks in advance!
Hi @TSavoie,
You can achieve this by modifying the plan in LCM workflow level ex:
...
for(AttributeRequest attributeRequestT : attributeRequestTList){
Date now = new Date();
long twoMinutesInMillis = 5 * 60 * 1000;
long sixMinutesInMillis = 10 * 60 * 1000;
Date newDate = new Date(now.getTime() + twoMinutesInMillis);
Date removeDate = new Date(now.getTime() + sixMinutesInMillis);
attributeRequestT.setAddDate(newDate);
attributeRequestT.setRemoveDate(removeDate);
attributeRequestT.setAssignment(true);
}
...
the method name is .setRemoveDate() and .setAssignment(true)
You can get this remove date as a input via custom form.
Or, if you want to go with OOTB sunrise/sunset feature then you can enable it by going to Global Setting>IdentityIQ Configuration>Roles>Enable Sunrise/Sunset Dates on Role Assignment
And if you want to see startDate and endDate on Access Request Page then, add the below line on UI Config page under uiIdentityRequestItemsColumns entry:
