Hi
Obviously I’m doing something stupid. I have a web service with a number of endpoints that do different actions… aggregate accounts, entitlements, Remove Entitlement… They all work except Remove Entitlement that is never called from IDN… It’s hooked up to the operation like the rest of them… As far as I understand this is called when a Revoke is performed in a Certification? Not on my IDN it isn’t… I run a Cert and do a revoke and nothing… not error. I’m nowhere near wondering how to specify the $plan.nativeIdentity$ etc for the accountID or how to get the Entitlement ID into the payload… for now I put a static payload in… It just never runs… I get that with Accounts I have a Create Prov Plan etc but for Entitlements then where does the plan live or is it just the schema map.
Basically I think I’m misunderstanding this but I don’t know where this aspect is documented… Even a diagram that joins the various aspects in the hierarchy that they are needed would be great…
I feel stupid asking such badly formed questions but the whole thing has me in the dark here.
Hi @julico ,
Did you sign-off the certification campaign that would remove the entitlement?
As a manager, in the “My Team” widget, you can also request the revocation of an access profile.
So, for your test you can create such access profile with your entitlement.
Once you are sure that your method should be called, you shall review “Account Activity” in Search to see what IDN is trying to do.
Thanks…
Yes… I signed off… I’ll try the Access Profile route but I wanted to stay with pure Entitlements if I could as the Entitlements are anything but static and there are about 700 of them.
Cheers
Access profiles didn’t change anything. Basically, choosing Revoke in a Cert does not call the Web Service Source “Remove Entitlement” Operation mapped API as documented. It does nothing as far as I can see
Thanks
Instead I am writing a quick Azure Function to receive the Cert Signed off Trigger… Loop through the revokes and any for the source in question I’ll call the API to remove the entitlement.
I mean, let’s write our own IAM processor as the workflow (well, just the Triggers in this case) are making IDN a great UI and event issuer so I can write my own processors.
If the documentation explained how to hook up the “Remove Entitlement” operation then I could use it. But it doesn’t anywhere I can see. I would rather use the product though so I’d still appreciate any ideas from anyone?
I am having the same issue. The cert campaign is not calling the the remove entitlement web service operation I have configured. Is the cert campaign supposed to call the remove entitlement web service or is there another operation I need to configure?
I am using IdentityIQ 8.1 and having the similar issue. In my case, I have a web service connector operation Remove Entitlement configured. After revoking entitlement during certification campaign and signing-off the revocation. I run Perform Maintenance. Entitlement gets removed from user account in SailPoint but they are not removed from the Application.
Remove Entitlement has header, body and response. In Response, I am using POST and attribute Roles and attribute path for parsing XML. I have a Root Path defined and Successful Response code 200
Can anyone provide example of soap request?
I am about to think about this again. At the time I (as described badly) wrote a Provisioning handler that basically receives the Certification Signed off Trigger and then looks to see if any “Revokes” are needed for the web service based source and call Delete on them myself.
Whilst I think the Pattern of having an off IDN provisioning handler has many advantages… even allowing Orgs that have onboarded many apps as CSV’s for Cert purposes to still automate Revocation/Leaver ETC… I still think that the reason I wrote it in the first place is just a hack. I’d really like to hook up Remove Entitlement and get that source all working as it’s supposed to.
Do you have any clues for me? If not you, anyone else? I know I’m doing something silly. I am about to look into provisioning plans as I am pretty certain (now I think about it) that I only added a Create plan… and that would, perhaps be the obvious answer staring me in the face.