Hello Sailors,
In case there are unused attribute assignments or sticky entitlements that can cause auto provisioning failures.
In IIQ these assigned attributes are referred as "sticky entitlements" - these are entitlements directly added via LCM that have a source="LCM". The entitlements are considered "sticky" as IIQ sees these has been manually added to the account so certain processes do not remove these entries. A direct removal of these entitlements via LCM removal request would clean these AttributeAssignment entries up. Or a revoke via certification would do the same.
In order to remove these sticky entitlements you can run the following rule as a pre-refresh rule or you can run it as a Rule Runner Task as sometimes we have a Leaver Event that disables the application account link but does not remove these sticky entitlements. This rule will clean-up these sticky entitlements and the logic it does is by checking that the application link exists for that identity and if not remove the AttributeAssignment object for that application so that they are not auto-provisioned when we do a Identity Cube Refresh with the provision assignment option enabled.
If you are using the Pre-Refresh Rule then in the Identity Cube Refresh Task add this xml tag - <entry key= "preRefreshRule" value = "[Refresh Rule Name]" />
Below is the rule:
----------------------
import sailpoint.api.IdentityService;
import sailpoint.object.Application;
import sailpoint.object.AttributeAssignment;
import sailpoint.object.Link;
import sailpoint.tools.Util;
// Sniff the AttributeAssignments and look for any pointing to a Link that doesn't exist. Set the nativeIdentity to null on said assignment
// and let it fall away naturally
IdentityService iSvc = new IdentityService(context);
boolean dirty = false;
List assignments = identity.getAttributeAssignments();
if (!Util.isEmpty(assignments)) {
for (Object assignmentObj : assignments) {
AttributeAssignment assignment = (AttributeAssignment)assignmentObj;
Link matched = null;
Application assApp = null;
if (assignment.getApplicationId() != null) {
assApp = context.getObject(Application.class, assignment.getApplicationId());
}
String instance = assignment.getInstance();
String nativeIdentity = assignment.getNativeIdentity();
if (nativeIdentity != null && !"".equals(nativeIdentity.trim()) && assApp != null) {
matched = iSvc.getLink(identity, assApp, instance, nativeIdentity);
}
if (matched == null) {
assignment.setNativeIdentity(null);
dirty = true;
}
}
}
if (dirty) {
context.saveObject(identity);
context.commitTransaction();
}
Hope this might help someone who run into the similar scenario.
Thanks!
Sumit Gupta
