I am trying to delete account in target application once the last role is been removed from SailPoint.
I have build the event config at source level like below.
“cloudServicesIDNSetup”: {
“eventConfigurations”: [
{
“eventActions”: [
{
“Action”: “ChangeOperation”,
“Attribute”: null,
“Value”: “Delete”
}
],
“Operation”: “Modify”,
“Entitlement Cardinality Update Triggers”: [
{
“Attribute”: “GroupID”,
“Value”: null,
“Operation”: “LastRemoved”
}
]
}
]
},
However I am receiving the error that user still has the group so can’t delete the account, actually I am removing the last role which has last group of application from the account in SailPoint.
Hi @FaizullahShaik, I had a similar use case and the code you have above should work. I would check your HTTP operations and make sure your delete operation is correct.
Another thing to check is if GroupID is the attribute name for entitlements on the source.
Are you removing the role through SailPoint? If it is locally removed SailPoint will likely just add the entitlement back.
The issue could be stemming from SailPoint needing an aggregation to see that the entitlement was removed.
Yes you’re correct that It should work coz we have same condition in other sources as well and it is working there, but in this case I need to first remove the groups from user account then only I can able to delete the account.
I am able to remove the groups separately without involving deletion api call, but when I am trying to remove last group including deletion method then I am receiving an error.
The error you are seeing is coming from the source API response because it does not look like it will process the account deletion while the account still has a role associated with it. This seems to be occurring because you are using the beforeProvisioning rule which executes before provisioning activities occur (such as removing the last role). Since this rule is executed before the last role is removed, the last role is never actually getting removed. The rule logic is basically saying, “if the last role is going to be removed from an account, delete the account instead”. However, based on the API response, you need to last role to be removed first, then you need to execute the delete operation, so you would need an AfterOperation rule (assuming this is a Web Services connector) to run after the removal provisioning has been completed.
Your AfterOperation rule could look something like this at a high level.
If the operation is a removal, get the account’s current entitlements (so after provisioning is completed). Here is one example of how this can be done and here is a second example
If the account does not have any entitlements (roles), make a DELETE API call to delete the account. This would be done using the executeDelete method from the WebServicesClient class to build your API call.
Attach the rule to your Remove Entitlement HTTP Operation
It didn’t worked via operation rule as well, however I have added extra delete account operation which wont delete the account but make sure it will remove all groups later it will go for 2nd delete operation and delete the account.
