Using webservice connector, the provisioning is via IT Role. There is one single API call for aggregation which gives list of users and entitlements - user attributes are pulled in as entitlements (role, group).
The IT role has (role, group, AD Group) while creating user account
During provisioning we have an API call which just passes role, group to add, but we need to remove the existing entitlement before adding new set, kind of single drop down case.
How can i achieve deleting the existing entitlement and not AD group (the AD group remains with account) via before provisioning rule.
I understand that ‘role’ and ‘group’ are entitlement attributes in your web service connector application. Are these attributes intended to be single-valued or multi-valued?
If you are certain that these attributes should only hold a single value, the solution is straightforward. By not marking them as multi-valued, the value will be automatically replaced each time.
However, if you need these attributes to be multi-valued, you can implement a before-provisioning rule. You can add a logic to fetch the existing values and update the plan to remove these entitlements accordingly.
Thanks for the input, the entitlements can be updated in the plan but the IT Role still stays with the identity.
I want to replace the IT Role in this scenario for a specific application.
Understood. To replace an IT role, you can use a before provisioning rule to identify the role to be provisioned, then modify the existing plan with the IIQ Account Request.
Alternatively, a more effective approach might be to implement an SOD policy. This policy would enforce users to submit a role removal request before they can request a new role addition.
Yes, with SOD, we will enforce users to submit a role removal request. Whenever they submit a role removal, entitlement removal occurs, and it attempts to execute the ‘Remove Entitlement’ operation.
For writing SOD, you can refer to this link. You may need to tweak it a bit to get the business role of your particular application.
Also, I apologize for missing your point. If your requirement is to remove an IT role and not a business role, making the entitlement attribute single-valued or using a before provisioning rule to remove the entitlement would suffice. Once you remove the entitlement, the IT role will be removed automatically after refreshing the identity with the option below.