cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Multi-threaded application deletion

Multi-threaded application deletion

 

Overview

At times it may be necessary to delete an application from IdentityIQ. This can be done by running the iiq console command:

     delete Application "<application name>"

However, in cases where the application has been in use and has many associated objects, this can be a time consuming process for a couple reasons. First, the Terminator process is single threaded in iiq console. Second, when an object is deleted, any dependent objects must also deleted. In the case of an Application, related Links, ManagedAttributes, and such are cleaned up by the Terminator before it takes care of the Application. This can involve many database transactions, which can take more time than can be spared during a maintenance period.

To address this issue, we developed a rule to allow for multi-threaded application deletion. It is attached here.

We wanted this process to be deliberate, due to the potential impact it may have, so editing of the rule is required, as well as running it from IIQConsole.

 

Instructions

Note: As for any code change, test the execution in non-production environments before using it in production.

1. Unzip the rule to a location that allows for editing of the file.

2. Edit lines #49-#60 to specify application names for the applications that will be deleted.

3. Save the modified rule and import it into IdentityIQ

4. Run the rule in iiq console with the following command:

     rule "Multithreaded Delete Apps"

 

Update:

2017-01-31 - Remove the direct deletion of EntitlementGroups.

Labels (1)
Attachments
Comments

Can you tell me if this is for a specific IIQ verison. When I attempt to run it, it appears to run in debug mode but not in "real delete" mode.  I see entries that say "purging null" for link objects, then the task just gets stuck.

Thanks

Sally_Newton

Hi Victor,

I believe this was coded against IdentityIQ 6.3. What version are you all running?

You are correct in that it runs in debug mode as default. This setting is on line 45. It is recommended that you run in debug first to see the impact of the deletions and to confirm you are deleting the correct objects. A reminder that lines 51-60 need to be edited to specify the application names you intend to delete.

Thanks. We are currently on 6.1p3, so that could be part of the issue.

Sally_Newton

Victor, I have confirmed that this works on 6.1p3.

Could you provide your version of the rule and the output when you run it, please?

I don't seem to have a way to attach files here.  I have taken the original rule, and only modified the lines you indicated to reflect my application names.  I did also add some logging to see if I could see where things were getting stuck on my end. Each time I run it, it hangs up attempting to purge account links. My test application is delimited file based with only 17 accounts, so I would expect that to be a relatively fast operation. In Debug, it does run to completion (but doesn't remove anything). When I run it for real, here's what I see.

> rule "Multithreaded Delete App"

Deleting objects for Application: Quantum - Application Repository (PROD)

Loading ids for class: class sailpoint.object.IdentityEntitlement

Purging: Quantum Job Role

Purging: Quantum Job Role

Purging: Quantum Job Role

Purging: Quantum Job Role

Purging: Quantum Job Role

IdentityEntitlement-Delete Thread-17 - Purged objects: 0

IdentityEntitlement-Delete Thread-18 - Purged objects: 0

IdentityEntitlement-Delete Thread-19 - Purged objects: 0

IdentityEntitlement-Delete Thread-1 - Purged objects: 1

IdentityEntitlement-Delete Thread-4 - Purged objects: 1

Purging: Quantum Job Role

Purging: Quantum Job Role

IdentityEntitlement-Delete Thread-0 - Purged objects: 1

IdentityEntitlement-Delete Thread-3 - Purged objects: 1

Purging: Quantum Job Role

IdentityEntitlement-Delete Thread-2 - Purged objects: 1

Purging: Quantum Job Role

Purging: Quantum Job Role

IdentityEntitlement-Delete Thread-9 - Purged objects: 1

Purging: Quantum Job Role

IdentityEntitlement-Delete Thread-15 - Purged objects: 1

Purging: Quantum Job Role

IdentityEntitlement-Delete Thread-6 - Purged objects: 1

Purging: Quantum Job Role

IdentityEntitlement-Delete Thread-14 - Purged objects: 1

Purging: Quantum Job Role

IdentityEntitlement-Delete Thread-5 - Purged objects: 1

Purging: Quantum Job Role

IdentityEntitlement-Delete Thread-16 - Purged objects: 1

Purging: Quantum Job Role

IdentityEntitlement-Delete Thread-13 - Purged objects: 1

Purging: Quantum Job Role

IdentityEntitlement-Delete Thread-7 - Purged objects: 1

IdentityEntitlement-Delete Thread-8 - Purged objects: 1

IdentityEntitlement-Delete Thread-12 - Purged objects: 1

IdentityEntitlement-Delete Thread-11 - Purged objects: 1

IdentityEntitlement-Delete Thread-10 - Purged objects: 1

Loading ids for class: class sailpoint.object.EntitlementGroup

Purging: null

EntitlementGroup-Delete Thread-17 - Purged objects: 0

EntitlementGroup-Delete Thread-18 - Purged objects: 0

EntitlementGroup-Delete Thread-19 - Purged objects: 0

Purging: null

Purging: null

Purging: null

Purging: null

EntitlementGroup-Delete Thread-2 - Purged objects: 1

Purging: null

EntitlementGroup-Delete Thread-4 - Purged objects: 1

EntitlementGroup-Delete Thread-1 - Purged objects: 1

Purging: null

Purging: null

EntitlementGroup-Delete Thread-3 - Purged objects: 1

EntitlementGroup-Delete Thread-0 - Purged objects: 1

Purging: null

Purging: null

EntitlementGroup-Delete Thread-14 - Purged objects: 1

EntitlementGroup-Delete Thread-12 - Purged objects: 1

EntitlementGroup-Delete Thread-11 - Purged objects: 1

Purging: null

EntitlementGroup-Delete Thread-5 - Purged objects: 1

Purging: null

Purging: null

Purging: null

EntitlementGroup-Delete Thread-10 - Purged objects: 1

EntitlementGroup-Delete Thread-6 - Purged objects: 1

EntitlementGroup-Delete Thread-9 - Purged objects: 1

Purging: null

Purging: null

Purging: null

EntitlementGroup-Delete Thread-13 - Purged objects: 1

EntitlementGroup-Delete Thread-7 - Purged objects: 1

EntitlementGroup-Delete Thread-16 - Purged objects: 1

EntitlementGroup-Delete Thread-8 - Purged objects: 1

EntitlementGroup-Delete Thread-15 - Purged objects: 1

Loading ids for class: class sailpoint.object.ManagedAttribute

Loading ids for class: class sailpoint.object.ManagedAttribute

ManagedAttribute-Delete Thread-0 - Purged objects: 0

ManagedAttribute-Delete Thread-1 - Purged objects: 0

ManagedAttribute-Delete Thread-2 - Purged objects: 0

ManagedAttribute-Delete Thread-3 - Purged objects: 0

ManagedAttribute-Delete Thread-4 - Purged objects: 0

ManagedAttribute-Delete Thread-5 - Purged objects: 0

ManagedAttribute-Delete Thread-6 - Purged objects: 0

ManagedAttribute-Delete Thread-7 - Purged objects: 0

ManagedAttribute-Delete Thread-8 - Purged objects: 0

ManagedAttribute-Delete Thread-9 - Purged objects: 0

ManagedAttribute-Delete Thread-10 - Purged objects: 0

ManagedAttribute-Delete Thread-11 - Purged objects: 0

ManagedAttribute-Delete Thread-12 - Purged objects: 0

ManagedAttribute-Delete Thread-13 - Purged objects: 0

ManagedAttribute-Delete Thread-14 - Purged objects: 0

ManagedAttribute-Delete Thread-15 - Purged objects: 0

ManagedAttribute-Delete Thread-16 - Purged objects: 0

ManagedAttribute-Delete Thread-17 - Purged objects: 0

ManagedAttribute-Delete Thread-18 - Purged objects: 0

ManagedAttribute-Delete Thread-19 - Purged objects: 0

Loading ids for class: class sailpoint.object.Link

Purging: null

Purging: null

Purging: null

Link-Delete Thread-17 - Purged objects: 0

Link-Delete Thread-18 - Purged objects: 0

Link-Delete Thread-19 - Purged objects: 0

Purging: null

Purging: null

Sally_Newton

Ahh, those nulls don't necessarily indicate anything bad. Those object types don't have names, so they are displaying null there.

If you change the line that produces that output to:

System.out.println("Purging: " + o.getId());

It will indicate which object it is getting stuck on.

I can find the object it is referencing in the spt_link table. But nothing seems out of the ordinary with it from what I can see. The identity cube overall looks fine. I tried to put another print statement with some static text after terminator.deleteobject, but nothing seems to get output.  If I use the "delete application myapp", it works just fine.

Hi Jason, we are on 7.0p2. I see that it is taking time to delete data from EntitlementGroup table. Can we add another class to this rule to remove it from EntitlementGroup ? like

myClass = EntitlementGroup.class;

  packQueueWithObjectIds(qo);

  runThreads();

Thanks

Ashvin

This is amazing, thanks!!

We are working 7.3 version.

Is this Rule works?

Version history
Revision #:
2 of 2
Last update:
‎Jul 24, 2023 04:22 PM
Updated by:
 
Contributors