WebService entitlement removal during ceritification

Hi Team,

We would like to implement deprovisioning/entitlement removal during ceritification user access remediation like if the source owner revokes any access item automatically that access shoule be revoked from the end system/application.

How to implement this feature in WebService based sources?

Thanks
Kalyan

Hi @kalyannambi2010,

First create http operation for remove entitlement follow the below steps:

  1. Create source owner certification campaign.
  2. Start certification.
  3. The certification campaign assigned to respected source owner.
  4. Ask Source Owner to take the decisions.
  5. After all the decisions made then sign off the certification campaign,
  6. Post sign off of the certification campaign all the decision taken place for provisioning to user accounts.

Find the below link for more details
Starting a Manager or Source Owner Campaign - SailPoint Identity Services
Thank You.

Hi @gogubapu thank you for your reply and what steps are required for creating http operation for remove entitlement like what has to be configured for this and any rule has to be implemented for this feature? Any idea on this?

Thanks
Kalyan

Yeah, that is depends on your API behavior. Find the below connector guide for implementation
HTTP Operations (sailpoint.com)

Hi @gogubapu thank you and do you have any sample Http operation block for “Remove Entitlement” operation?

Thanks
Kalyan

You may check connector guide, how to configure operations and do you have API to execute remove access from user. Use that API in remove entitlement http operation.

Hi @gogubapu thanks for the update and do you have any sample Http operation block for “Remove Entitlement” operation how it looks?

Thanks
Kalyan

Hi @kalyannambi2010,

Find below screenshot for your reference
image

Operation Name: Remove Entitlement
Operation Type: choose Remove Entitlement
Curl or Context URL: Provide you API here
Http method: choose API execution method (Get. Post etc)

Thank You.

Hi @gogubapu thank you for your update and under body section what has to be provided for removal of one or more entitlememts during user access review?

{
"members": [
{
"value": "$getObject.nativeIdentity$",
"operation": "REMOVE"
}]
}

Thanks
Kalyan

Hi @kalyannambi2010,

do you have API, if yes, then same post here, which you have tested in postman or some other tool, it is better for guiding you.

Hi everyone,

Do we need to write any rule for revoke of single/multiple entitlements during WebService UAR and any service account special permissions required?

Thanks
Kalyan

Hi @gogubapu which API do I need share to here like account aggregation API, test connection API?

Thanks
Kalyan

single/multiple entitlements removal API

Hi @gogubapu,

The below API is being used for entitlements removal and how to achieve single/multiple entitlements removal during user access revoke any idea?

/hcmRestApi/scim/Roles/

Thanks
Kalyan

Hi @kalyannambi2010,

Configure remove entitlement in your tenant using below:

Operation Type: Remove Entitlement
API:

https://servername.fa.us2.oraclecloud.com/hcmRestApi/scim/Roles/$plan.roleID$

You may use relevent attribute instead of roleId for example am given.

Method: Patch
Body:

{

“schemas”: [
“urn:oracle:apps:scim:schemas:fa:1.0:Role”
],
“members”: [
{
“value”: “$plan.nativeIdentity$”,
“operation”: “REMOVE”
}
]
}

Header: Content-Type:application/json

Perform relevant operation to revoke roles from user.

Thank You.

Hi @gogubapu thank you for providing the details.

I have updated HTTP Remove Entitlement operation accordingly but when I try to revoke the entitlement during user access review revoke process it did not remove the entitlement and did not throw any message. Any idea on this?

Thanks
Kalyan

Hi everyone,

I have updated HTTP Remove Entitlement operation accordingly but when I try to revoke the entitlement during user access review revoke process it did not remove the entitlement and did not throw any message. Any idea on this?

Thanks
Kalyan

Hi @gogubapu I am getting below error while trying to revoke entitlement during user access review.

[“Exception while updating account.Url: https://ehis-dev3.fa.us6.oraclecloud.com/hcmRestApi/scim/Roles/361126D03E034A0DBC0D09CC383039AD, Message: 403 : Forbidden, HTTP Error Code: 403”]

Thanks
Kalyan

Hi @gogubapu I am getting below error while trying to revoke entitlement during user access review.

[“Exception while updating account.Url: https://ehis-dev3.fa.us6.oraclecloud.com/hcmRestApi/scim/Roles/361126D03E034A0DBC0D09CC383039AD, Message: 403 : Forbidden, HTTP Error Code: 403”]

Below is API call for role revoke.

Thanks
Kalyan

Hi @kalyannambi2010,

Use below in your API header:
Accept: application/json
Content-Type: application/json-patch+json

And make sure your service account must have required permission(Admin Level) to perform the operation.

Thank you.