Webservice - Provisioning must delete existing entitlement before adding (Only add API call available))

Which IIQ version are you inquiring about?

8.2

Hello Community,

Using webservice connector, the provisioning is via IT Role. There is one single API call for aggregation which gives list of users and entitlements - user attributes are pulled in as entitlements (role, group).

  1. The IT role has (role, group, AD Group) while creating user account
  2. During provisioning we have an API call which just passes role, group to add, but we need to remove the existing entitlement before adding new set, kind of single drop down case.

How can i achieve deleting the existing entitlement and not AD group (the AD group remains with account) via before provisioning rule.

Thanks

Hi @shivakarasani199

I understand that ‘role’ and ‘group’ are entitlement attributes in your web service connector application. Are these attributes intended to be single-valued or multi-valued?

If you are certain that these attributes should only hold a single value, the solution is straightforward. By not marking them as multi-valued, the value will be automatically replaced each time.

However, if you need these attributes to be multi-valued, you can implement a before-provisioning rule. You can add a logic to fetch the existing values and update the plan to remove these entitlements accordingly.

Hi @Arpitha1

Thanks for the input, the entitlements can be updated in the plan but the IT Role still stays with the identity.
I want to replace the IT Role in this scenario for a specific application.

Thanks

Hi @shivakarasani199

Understood. To replace an IT role, you can use a before provisioning rule to identify the role to be provisioned, then modify the existing plan with the IIQ Account Request.

Alternatively, a more effective approach might be to implement an SOD policy. This policy would enforce users to submit a role removal request before they can request a new role addition.

1 Like

with the SOD Policy approach, does the Role Removal look for Remove Entitlement operation. (We do not have an remove entitlement API available )

Yes, with SOD, we will enforce users to submit a role removal request. Whenever they submit a role removal, entitlement removal occurs, and it attempts to execute the ‘Remove Entitlement’ operation.

For writing SOD, you can refer to this link. You may need to tweak it a bit to get the business role of your particular application.

Also, I apologize for missing your point. If your requirement is to remove an IT role and not a business role, making the entitlement attribute single-valued or using a before provisioning rule to remove the entitlement would suffice. Once you remove the entitlement, the IT role will be removed automatically after refreshing the identity with the option below.
image