I am able to remove entitlement on Remove Entitlement operation when manager revokes the item. But there is a use case when manager revokes the entitlement and there is only one entitlement present with user then the respective account should get deleted.
Can anyone please let me know how this can be achieved?
Hi @gogubapu, I don’t it would be possible. Correct me if I am wrong.
In the before operation rule, from plan we can get native identity and entitlement. But I don’t think it would be possible to call identity and managed attribute object to check if user has entitlement already.
Develop rule using below suggestion:
build logic:
In web service after operation rule get single user data, then check user entitlement, build condition if user have this particular entitlement, then execute delete user API in the same if condition.
4. then patch the web service after-operation rule to remove entitlement http operation and find below link after operation rule Web Services After Operation Rule (sailpoint.com)
Is there a particular reason you would want to delete the account when user has 1 entitlement remaining because this sounds strange to me that user will have the entitlement in the back-end application and we try to delete the account.
Generally, the account should be deleted when last Entitlement is being removed from the account and for this there is already before provisioning rule available (Services Standard IdentityNow BeforeProvisioning Rule) which lets you achieve this use by just configuring the events on the source level.
So, the idea is you can configure the below trigger on the source and then this will detect when ever the last entitlement is being removed from the user, the modify operation will be changed to delete operation and it will ensure that account is deleted from the back-end.
FYI, you will need to change the attribute value in above example and keep the attribute name for entitlement. Also, you will need to contact SailPoint to deploy this rule in your tenant.
Also, make sure that delete operation is defined on the connector configuration.
@vguleria Good to see how you configured this… I have one question, I do not see “eventActions” as connector attribute are we allowed to add it under connector attribute? are you saying update the source using the API?
@Amrit1897
I have another approach to achieve this usecase:
Write a beforeProvisioning rule - where you will check if the entitlement which is getting removed is the only entitlement and change the operation to delete.
Have HTTP operation “Delete Account” configured in your source.
Yes, typically you would create a new key inside the connector attributes called as cloudServicesIDNSetup and there you can create multiple events as per your use case. The standard rule is also quite flexible as you can have multiple events for example if you want to move user from one OU to another one.
{
"cloudServicesIDNSetup": {
"eventConfigurations": [
{
"eventActions": [
{
"Action": "ChangeOperation",
"Attribute": null,
"Value": "Delete"
}
],
"Operation": "Modify",
"Entitlement Cardinality Update Triggers": [
{
"Attribute": "groups", // this will change and instead of groups, it should be your entitlement attribute name
"Operation": "LastRemoved",
"Value": null
}
]
}
]
}
}
It is quite easy to configure this. The only thing is that you will need to contact SailPoint to deploy this rule to your tenant. Once deployed, you can use it for multiple sources and multiple events can also be configured there.
You can even do something like when last entitlement is removed, then change the operation to disable if you do not wish to delete the accounts, so in my opinion this will be better option to go for. But please make sure to check with SailPoint support if you can get it deployed on your tenant or does it require some more pre-requisites.
@shekhardas1825, Thanks for the suggestion.
In the before operation rule, from plan we can get native identity and entitlement. But how can I get the identity information, like user has only one entitlement left?
This is a standard before provisioning rule with the name “Services Standard IdentityNow BeforeProvisioning” Rule. You will need to get it deployed by SailPoint support team once in your dev tenant.
Once it is deployed, then you can map the before provisioning rule in the source and then configure the events to change the operation to delete when the last entitlement is being removed and perform the testing. If the tests looks promising, then you can use sp-config APIs to move the rule from dev to production tenant.
So in short, it will be only one time request to SailPoint for deploying the before provisioning rule and after that it will let you achieve many use cases with it without having to manage your own code.
Once, you go into the structure of the zip file, you will see a folder called as supporting documents and inside that you will have a file called as Services Standard BeforeProvisioning where you can find the exact details.
I am sure this is available in the official documentation also but not really aware of where it is stored.
Please check and let me know if that helps.