At times it may be necessary to delete an application from IdentityIQ. This can be done by running the iiq console command:
delete Application "<application name>"
However, in cases where the application has been in use and has many associated objects, this can be a time consuming process for a couple reasons. First, the Terminator process is single threaded in iiq console. Second, when an object is deleted, any dependent objects must also deleted. In the case of an Application, related Links, ManagedAttributes, and such are cleaned up by the Terminator before it takes care of the Application. This can involve many database transactions, which can take more time than can be spared during a maintenance period.
To address this issue, we developed a rule to allow for multi-threaded application deletion. It is attached here.
We wanted this process to be deliberate, due to the potential impact it may have, so editing of the rule is required, as well as running it from IIQConsole.
Note: As for any code change, test the execution in non-production environments before using it in production.
1. Unzip the rule to a location that allows for editing of the file.
2. Edit lines #49-#60 to specify application names for the applications that will be deleted.
3. Save the modified rule and import it into IdentityIQ
4. Run the rule in iiq console with the following command:
rule "Multithreaded Delete Apps"
Update:
2017-01-31 - Remove the direct deletion of EntitlementGroups.
Can you tell me if this is for a specific IIQ verison. When I attempt to run it, it appears to run in debug mode but not in "real delete" mode. I see entries that say "purging null" for link objects, then the task just gets stuck.
Thanks
Hi Victor,
I believe this was coded against IdentityIQ 6.3. What version are you all running?
You are correct in that it runs in debug mode as default. This setting is on line 45. It is recommended that you run in debug first to see the impact of the deletions and to confirm you are deleting the correct objects. A reminder that lines 51-60 need to be edited to specify the application names you intend to delete.
Thanks. We are currently on 6.1p3, so that could be part of the issue.
Victor, I have confirmed that this works on 6.1p3.
Could you provide your version of the rule and the output when you run it, please?
I don't seem to have a way to attach files here. I have taken the original rule, and only modified the lines you indicated to reflect my application names. I did also add some logging to see if I could see where things were getting stuck on my end. Each time I run it, it hangs up attempting to purge account links. My test application is delimited file based with only 17 accounts, so I would expect that to be a relatively fast operation. In Debug, it does run to completion (but doesn't remove anything). When I run it for real, here's what I see.
> rule "Multithreaded Delete App"
Deleting objects for Application: Quantum - Application Repository (PROD)
Loading ids for class: class sailpoint.object.IdentityEntitlement
Purging: Quantum Job Role
Purging: Quantum Job Role
Purging: Quantum Job Role
Purging: Quantum Job Role
Purging: Quantum Job Role
IdentityEntitlement-Delete Thread-17 - Purged objects: 0
IdentityEntitlement-Delete Thread-18 - Purged objects: 0
IdentityEntitlement-Delete Thread-19 - Purged objects: 0
IdentityEntitlement-Delete Thread-1 - Purged objects: 1
IdentityEntitlement-Delete Thread-4 - Purged objects: 1
Purging: Quantum Job Role
Purging: Quantum Job Role
IdentityEntitlement-Delete Thread-0 - Purged objects: 1
IdentityEntitlement-Delete Thread-3 - Purged objects: 1
Purging: Quantum Job Role
IdentityEntitlement-Delete Thread-2 - Purged objects: 1
Purging: Quantum Job Role
Purging: Quantum Job Role
IdentityEntitlement-Delete Thread-9 - Purged objects: 1
Purging: Quantum Job Role
IdentityEntitlement-Delete Thread-15 - Purged objects: 1
Purging: Quantum Job Role
IdentityEntitlement-Delete Thread-6 - Purged objects: 1
Purging: Quantum Job Role
IdentityEntitlement-Delete Thread-14 - Purged objects: 1
Purging: Quantum Job Role
IdentityEntitlement-Delete Thread-5 - Purged objects: 1
Purging: Quantum Job Role
IdentityEntitlement-Delete Thread-16 - Purged objects: 1
Purging: Quantum Job Role
IdentityEntitlement-Delete Thread-13 - Purged objects: 1
Purging: Quantum Job Role
IdentityEntitlement-Delete Thread-7 - Purged objects: 1
IdentityEntitlement-Delete Thread-8 - Purged objects: 1
IdentityEntitlement-Delete Thread-12 - Purged objects: 1
IdentityEntitlement-Delete Thread-11 - Purged objects: 1
IdentityEntitlement-Delete Thread-10 - Purged objects: 1
Loading ids for class: class sailpoint.object.EntitlementGroup
Purging: null
EntitlementGroup-Delete Thread-17 - Purged objects: 0
EntitlementGroup-Delete Thread-18 - Purged objects: 0
EntitlementGroup-Delete Thread-19 - Purged objects: 0
Purging: null
Purging: null
Purging: null
Purging: null
EntitlementGroup-Delete Thread-2 - Purged objects: 1
Purging: null
EntitlementGroup-Delete Thread-4 - Purged objects: 1
EntitlementGroup-Delete Thread-1 - Purged objects: 1
Purging: null
Purging: null
EntitlementGroup-Delete Thread-3 - Purged objects: 1
EntitlementGroup-Delete Thread-0 - Purged objects: 1
Purging: null
Purging: null
EntitlementGroup-Delete Thread-14 - Purged objects: 1
EntitlementGroup-Delete Thread-12 - Purged objects: 1
EntitlementGroup-Delete Thread-11 - Purged objects: 1
Purging: null
EntitlementGroup-Delete Thread-5 - Purged objects: 1
Purging: null
Purging: null
Purging: null
EntitlementGroup-Delete Thread-10 - Purged objects: 1
EntitlementGroup-Delete Thread-6 - Purged objects: 1
EntitlementGroup-Delete Thread-9 - Purged objects: 1
Purging: null
Purging: null
Purging: null
EntitlementGroup-Delete Thread-13 - Purged objects: 1
EntitlementGroup-Delete Thread-7 - Purged objects: 1
EntitlementGroup-Delete Thread-16 - Purged objects: 1
EntitlementGroup-Delete Thread-8 - Purged objects: 1
EntitlementGroup-Delete Thread-15 - Purged objects: 1
Loading ids for class: class sailpoint.object.ManagedAttribute
Loading ids for class: class sailpoint.object.ManagedAttribute
ManagedAttribute-Delete Thread-0 - Purged objects: 0
ManagedAttribute-Delete Thread-1 - Purged objects: 0
ManagedAttribute-Delete Thread-2 - Purged objects: 0
ManagedAttribute-Delete Thread-3 - Purged objects: 0
ManagedAttribute-Delete Thread-4 - Purged objects: 0
ManagedAttribute-Delete Thread-5 - Purged objects: 0
ManagedAttribute-Delete Thread-6 - Purged objects: 0
ManagedAttribute-Delete Thread-7 - Purged objects: 0
ManagedAttribute-Delete Thread-8 - Purged objects: 0
ManagedAttribute-Delete Thread-9 - Purged objects: 0
ManagedAttribute-Delete Thread-10 - Purged objects: 0
ManagedAttribute-Delete Thread-11 - Purged objects: 0
ManagedAttribute-Delete Thread-12 - Purged objects: 0
ManagedAttribute-Delete Thread-13 - Purged objects: 0
ManagedAttribute-Delete Thread-14 - Purged objects: 0
ManagedAttribute-Delete Thread-15 - Purged objects: 0
ManagedAttribute-Delete Thread-16 - Purged objects: 0
ManagedAttribute-Delete Thread-17 - Purged objects: 0
ManagedAttribute-Delete Thread-18 - Purged objects: 0
ManagedAttribute-Delete Thread-19 - Purged objects: 0
Loading ids for class: class sailpoint.object.Link
Purging: null
Purging: null
Purging: null
Link-Delete Thread-17 - Purged objects: 0
Link-Delete Thread-18 - Purged objects: 0
Link-Delete Thread-19 - Purged objects: 0
Purging: null
Purging: null
Ahh, those nulls don't necessarily indicate anything bad. Those object types don't have names, so they are displaying null there.
If you change the line that produces that output to:
System.out.println("Purging: " + o.getId());
It will indicate which object it is getting stuck on.
I can find the object it is referencing in the spt_link table. But nothing seems out of the ordinary with it from what I can see. The identity cube overall looks fine. I tried to put another print statement with some static text after terminator.deleteobject, but nothing seems to get output. If I use the "delete application myapp", it works just fine.
Hi Jason, we are on 7.0p2. I see that it is taking time to delete data from EntitlementGroup table. Can we add another class to this rule to remove it from EntitlementGroup ? like
myClass = EntitlementGroup.class;
packQueueWithObjectIds(qo);
runThreads();
Thanks
Ashvin
This is amazing, thanks!!
We are working 7.3 version.
Is this Rule works?