Hi Team,
We have requirement for webservice connector where we need to remove the roles from the user and disable the user.
I think we can achieve using WebServiceBeforeOperationRule but does anyone can suggest how to implement using WebServiceBeforeOperationRule and steps to be followed?
Thanks
Kalyan
Thanks
Kalyan
Hi,
You can create the rule using below documentation.
After creation you need to attach the rule to webservice operation.
Let me know if you looking for any specific scenario.
Thanks,
Abhinov
Hi @Abhinov7 thank you for your reply and could you please provide any code to remove the roles from the user and disable the user other than documentation rule at Web Services Before Operation Rule | SailPoint Developer Community
Thanks
Kalyan
Hi,
Can you let me know your exact requirement?
Are you trying to remove roles directly on target/ or you want to remove roles using ISC.
Thanks,
Abhinov
Hi @Abhinov7 thanks for the reply.
My requirement as per below:
Whenever user leaves/departs from the company we need to remove the roles associated with that user related to the target web service application and disable the user on the target web service application. I think we may not be able to achieve using HTTP remove and disable operation as we may not combine two different operations in a single HTTP operation. How can we achieve using Web Service Before operation rule and any sample code and steps to be followed.
Thanks
Kalyan
Hi,
You can configure disable account operation and remove entitlement operation on webservices.
When LCS changed to resigned, disable the webservices application. As part of disablement you can remove groups as well.
In this case you need a before provisioning rule. This cannot be achieved with WSBO.
I have attached the generic rule. Change it according to requirement.
Generic.java (1.9 KB)
Thanks,
Abhinov
Hi @kalyannambi2010 as @Abhinov7 says you can use before provisioning rule for disabling the account and remove groups when user terminate.
I have tried with Webservice Operation Rule but it not works for me.
So better you can write an before provisioning rule or you can get help with Sailpoint Expert Service to deploy the default rule “Service Standard Before Provisioning Rule”
Please refer the below post for more info
Thanks,
Shantha Kumar
Hi @Santhakumar thank you for the update and can before provisioning rule be applied to webserice connector?
Thanks
Kalyan
Hi @Abhinov7 thank you for the update and can before provisioning rule be applied to webserice connector?
Thanks
Kalyan
Hi,
Yes you can apply the before provisioning rule to webservice connector. But it would be a cloud rule. We need SailPoint support help to deploy rule into tenant.
Thanks,
Abhinov
Yes you can use the rule for webservice connector. However you can use the Service Standard Rule by importing into your tenant with the help of sp-config.
Use the below link to download the rule from Mock Project:
https://community.sailpoint.com/t5/IdentityNow-Forum/IdentityNow-Mock-Project-Services-Standard-BeforeProvisioning/td-p/216158
If you want the updated rule you can contact Sailpoint Support Service as @Abhinov7 says.
Thanks,
Shantha Kumar
Hi @Santhakumar and @Abhinov7 thank you for the update.
Thanks
Kalyan
Ho @Abhinov7 thank you for your reply and in my use case “roleId” is the entitlement attribute and how to use Object initialGrpList = idn.getRawAccountAttribute(curApp, acctId, “memberOf”); method in before provisioning rule and as my application is not Active Directory and it is Web Service?
Thanks
Kalyan
Hi,
You can use
Object initialGrpList = idn.getRawAccountAttribute(curApp, acctId, “roleId”);
in your rule.
Thanks,
Abhinov
Hi @Abhinov7 I have updated the code and submitted for SP team to deploy and will update the results.
Thanks
Kalyan
Hi @Abhinov7 I have updated the code and submitted for SP team to deploy and will update the results but still we need to define HTTP operation for disable operation as well with API call for disable of the account?
Thanks
Kalyan
Yes, you can configure a Disable Account operation on the source config UI and configure the API endpoint responsible for disabling the user account. If you’re configuring Disable Account operation, ensure that you are checking the “Disable Account” operation on the leaver related lifecycle state in the identity profile.
Parallelly, your beforeProvisioning rule can take care of removing all the roleId’s.
Hi @Arshad and @Abhinov7 thank you for the update.
I have defined HTTP operation for disable account and have written below before provisioning rule for remove of the all the roleId’s and could you please provide your feedback?
<?xml version='1.0' encoding='UTF-8'?> SampleBeforeProvisoning Before Provisioning Rule which removes all the group memberships.import sailpoint.object.Application;
import sailpoint.object.Identity;
import sailpoint.object.Link;
import sailpoint.object.ProvisioningPlan;
import sailpoint.object.ProvisioningPlan.AccountRequest;
import sailpoint.object.ProvisioningPlan.AttributeRequest;
import java.util.*;
import sailpoint.server.IdnRuleUtil;
import sailpoint.tools.Util;
log.debug(“Rule - Remove Groups”);
//Before Provisioning Rule
String acctId = null;
String appName = null;
String operation = null;
String curApp = application.getName();
Identity idnIdentity = plan.getIdentity();
AccountRequest acctRequest = null;
String currentLCS =identity.getAttribute(“cloudLifecycleState”);
List acctReqs = plan.getAccountRequests();
if (acctReqs != null) {
for (AccountRequest eachAcctReq : acctReqs) {
acctId = eachAcctReq.getNativeIdentity();
appName = eachAcctReq.getApplicationName();
operation = eachAcctReq.getOperation().toString();
if(appName.equals("Sample")){
if ("Disable".equals(operation) && Util.nullSafeCaseInsensitiveEq("terminated",currentLCS))
{
//For removing groups - Disable
acctRequest = new AccountRequest();
acctRequest.setApplication(appName);
acctRequest.setNativeIdentity(acctId);
acctRequest.setOp(sailpoint.object.ProvisioningPlan.ObjectOperation.Modify);
//// Remove entitlements
Object initialGrpList = idn.getRawAccountAttribute(curApp, acctId, "roleId");//Change the group attribute
if(initialGrpList != null) {
// Remove groups
AttributeRequest removeGroupAttributeRequest = new AttributeRequest();
removeGroupAttributeRequest.setName("roleId");//Change the group attribute
removeGroupAttributeRequest.setValue(initialGrpList);
removeGroupAttributeRequest.setOperation(sailpoint.object.ProvisioningPlan.Operation.Remove);
acctRequest.add(removeGroupAttributeRequest);
}
}
}
}
}
if(acctRequest != null) {
plan.add(acctRequest);
}
log.debug(“Rule - BeforeProvisioning End”);
//End of Rule
]]>
Thanks
Kalyan
@kalyannambi2010 This looks good to me. Unless @Abhinov7 has any further feedback.
I’d suggest to give this a test in your ISC test environment and see how it goes.