Webservice Connector - Disable User with Remove Multiple Entitlements

Which IIQ version are you inquiring about?

IIQ8.4sp1

Customer has a Leaver process to disable the user account and revoke user’s entitlements. The Provisioning Plan created by the Leaver workflow as below.
2024-11-07T13:28:19,425 DEBUG Thread-150 rule.SP.Leaver.RulesLibrary:166 - Leaver plan:

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE ProvisioningPlan PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<ProvisioningPlan>
  <AccountRequest application="Active Directory" nativeIdentity="CN=TestUser_3,OU=Users,OU=Graveyard,DC=amst,DC=tds,DC=bnymellon,DC=net" op="Disable">
    <AttributeRequest name="msExchHideFromAddressLists" op="Set" value="true"/>
    <AttributeRequest name="submissionContLength" op="Set" value="0"/>
  </AccountRequest>
  <AccountRequest application="1BR - Mellon Aladdin" nativeIdentity="???" op="Delete"/>
  <AccountRequest application="OMDBOL1031" nativeIdentity="51234AAC" op="Disable">
    <AttributeRequest name="roles" op="Remove" value="TEST_ROLE@OMDBOL1031"/>
    <AttributeRequest name="roles" op="Remove" value="SQLT_USER_ROLE@OMDBOL1031"/>
   </AccountRequest>
   <AccountRequest application="ETAM" nativeIdentity="51234AAC" op="Delete"/>
   <Attributes>
   <Map>
     <entry key="flow" value="RapidSetup Leaver"/>
   </Map>
   </Attributes>
</ProvisioningPlan>

The "OMDBOL1031” is the DBaaS Oracle application we integrated with IIQ 8.4sp1 using the webservice connector. To revoke the user’s entitlements, we need to make each of calls to the DBaaS Oracle endpoint for each of entitlements and we set “addRemoveEntInSingleReq” to False. We also created the BeforeOperationRule to retrieve the entitlements from AccountRequest and its AttributeRequest, but for some reason the provisioning plan in the BeforeOperation Rule is showing AttributeRequest as List for the entitlements like below.
2024-11-07T13:28:31,862 DEBUG Thread-150 DBaaS.Oracle.Orders.BeforeRule:166 - opType: Remove Entitlement
2024-11-07T13:28:31,868 DEBUG Thread-150 DBaaS.Oracle.Orders.BeforeRule:166 - BeforeRule plan:

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE ProvisioningPlan PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<ProvisioningPlan nativeIdentity="51234AAC" targetIntegration="DBaaS Exadata-Oracle" trackingId="ac5a3b86fc9f47a6b03d52eb2939e9e8">
   <AccountRequest application="OMDBOL1031" nativeIdentity="51234AAC" op="Disable">
     <AttributeRequest name="roles" op="Remove">
     <Value>
       <List>
          <String>TEST_ROLE@OMDBOL1031</String>
          <String>SQLT_USER_ROLE@OMDBOL1031</String>
       </List>
     </Value>
     </AttributeRequest>
   </AccountRequest>
   <Attributes>
   <Map>
     <entry key="flow" value="RapidSetup Leaver"/>
     <entry key="identityRequestId" value="0000002779"/>
     <entry key="requester" value="spadmin"/>
     <entry key="source" value="RapidSetup"/>
   </Map>
   </Attributes>
</ProvisioningPlan>

BeforeOperation Rule snippet to Remove Entitlement is like below. The “role” needs to be “sting” instead of List string.

if (opType.equalsIgnoreCase(REMOVE_OPERATION)) { // Remove Entitlement
 log.debug(opType + " for user_name: " + userName + " pdb_name: " + globalName + " role: " + role);

      JSONObject requestBody = new JSONObject();        
      requestBody.put("product_name", "oracle");
      requestBody.put("product_type_name", "standard_common");
      requestBody.put("product_ver", "0.0.0");        
      requestBody.put("product_ver_comp_name", "pdb_process");        
      // removeEntitlement - revoke user
      requestBody.put("product_ver_comp_ac_name", "revoke_user");

      JSONObject orderParams = new JSONObject();
      orderParams.put("pdb_name", globalName);      
      orderParams.put("user_name", userName);
      // remove role suffix @mnemonic
      if (Util.isNotNullOrEmpty(role) &amp;&amp; role.contains("@")) {
        String[] _role = role.split("@");
        role = _role[0];
      }
      orderParams.put("role_name", role);
      log.debug("revoke role:" + role);
      requestBody.put("order_params", orderParams);

      log.debug(opType + " requestEndPoint.getBody():  " + requestEndPoint.getBody().toString() );
      requestEndPoint.getBody().put("jsonBody", requestBody.toString());
      log.debug(opType + " requestBody: " + requestBody.toString());
      return requestEndPoint;
}

The issue here is the attributeRequest “roles” to be removed in provisioning plan passed to the BeforeOperation rule is a list string instead of string. Please help how to loop through List to get each of roles passing to the endpoint. Any pointers would much be appreciated.

Hi @jxu11,

in before op rule, you can read the AttributeRequest “role” like a list:

for (AccountRequest accountRequest : plan.getAccountRequests()) {
    List <String> roles = new Arraylist();
    AttributeRequest attrReq = accountRequest.get("roles");
    if(attrReq.getValue() instanceof List){
        for (String i : attrReq.getValue()) {
            roles.add(attrReq.getValue());
        }
    }else{
        roles.add(attrReq.getValue());
    }
}

you must to check if the attribute is a list or not, because in case you remove one only role, the attribute will be a string. Later you have a list of string you can use to compose your string.

1 Like

@enistri_devo,
I finally resolve the issue with your suggestion to loop the role list for calling the API endpoint. Thank you so much!

2 Likes