Which IIQ version are you inquiring about?
IIQ8.4sp1
Customer has a Leaver process to disable the user account and revoke user’s entitlements. The Provisioning Plan created by the Leaver workflow as below.
2024-11-07T13:28:19,425 DEBUG Thread-150 rule.SP.Leaver.RulesLibrary:166 - Leaver plan:
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE ProvisioningPlan PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<ProvisioningPlan>
<AccountRequest application="Active Directory" nativeIdentity="CN=TestUser_3,OU=Users,OU=Graveyard,DC=amst,DC=tds,DC=bnymellon,DC=net" op="Disable">
<AttributeRequest name="msExchHideFromAddressLists" op="Set" value="true"/>
<AttributeRequest name="submissionContLength" op="Set" value="0"/>
</AccountRequest>
<AccountRequest application="1BR - Mellon Aladdin" nativeIdentity="???" op="Delete"/>
<AccountRequest application="OMDBOL1031" nativeIdentity="51234AAC" op="Disable">
<AttributeRequest name="roles" op="Remove" value="TEST_ROLE@OMDBOL1031"/>
<AttributeRequest name="roles" op="Remove" value="SQLT_USER_ROLE@OMDBOL1031"/>
</AccountRequest>
<AccountRequest application="ETAM" nativeIdentity="51234AAC" op="Delete"/>
<Attributes>
<Map>
<entry key="flow" value="RapidSetup Leaver"/>
</Map>
</Attributes>
</ProvisioningPlan>
The "OMDBOL1031” is the DBaaS Oracle application we integrated with IIQ 8.4sp1 using the webservice connector. To revoke the user’s entitlements, we need to make each of calls to the DBaaS Oracle endpoint for each of entitlements and we set “addRemoveEntInSingleReq” to False. We also created the BeforeOperationRule to retrieve the entitlements from AccountRequest and its AttributeRequest, but for some reason the provisioning plan in the BeforeOperation Rule is showing AttributeRequest as List for the entitlements like below.
2024-11-07T13:28:31,862 DEBUG Thread-150 DBaaS.Oracle.Orders.BeforeRule:166 - opType: Remove Entitlement
2024-11-07T13:28:31,868 DEBUG Thread-150 DBaaS.Oracle.Orders.BeforeRule:166 - BeforeRule plan:
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE ProvisioningPlan PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<ProvisioningPlan nativeIdentity="51234AAC" targetIntegration="DBaaS Exadata-Oracle" trackingId="ac5a3b86fc9f47a6b03d52eb2939e9e8">
<AccountRequest application="OMDBOL1031" nativeIdentity="51234AAC" op="Disable">
<AttributeRequest name="roles" op="Remove">
<Value>
<List>
<String>TEST_ROLE@OMDBOL1031</String>
<String>SQLT_USER_ROLE@OMDBOL1031</String>
</List>
</Value>
</AttributeRequest>
</AccountRequest>
<Attributes>
<Map>
<entry key="flow" value="RapidSetup Leaver"/>
<entry key="identityRequestId" value="0000002779"/>
<entry key="requester" value="spadmin"/>
<entry key="source" value="RapidSetup"/>
</Map>
</Attributes>
</ProvisioningPlan>
BeforeOperation Rule snippet to Remove Entitlement is like below. The “role” needs to be “sting” instead of List string.
if (opType.equalsIgnoreCase(REMOVE_OPERATION)) { // Remove Entitlement
log.debug(opType + " for user_name: " + userName + " pdb_name: " + globalName + " role: " + role);
JSONObject requestBody = new JSONObject();
requestBody.put("product_name", "oracle");
requestBody.put("product_type_name", "standard_common");
requestBody.put("product_ver", "0.0.0");
requestBody.put("product_ver_comp_name", "pdb_process");
// removeEntitlement - revoke user
requestBody.put("product_ver_comp_ac_name", "revoke_user");
JSONObject orderParams = new JSONObject();
orderParams.put("pdb_name", globalName);
orderParams.put("user_name", userName);
// remove role suffix @mnemonic
if (Util.isNotNullOrEmpty(role) && role.contains("@")) {
String[] _role = role.split("@");
role = _role[0];
}
orderParams.put("role_name", role);
log.debug("revoke role:" + role);
requestBody.put("order_params", orderParams);
log.debug(opType + " requestEndPoint.getBody(): " + requestEndPoint.getBody().toString() );
requestEndPoint.getBody().put("jsonBody", requestBody.toString());
log.debug(opType + " requestBody: " + requestBody.toString());
return requestEndPoint;
}
The issue here is the attributeRequest “roles” to be removed in provisioning plan passed to the BeforeOperation rule is a list string instead of string. Please help how to loop through List to get each of roles passing to the endpoint. Any pointers would much be appreciated.