• Replies 1 reply
  • Subscribers 98 subscribers
  • Views 156 views
  • Users 0 members are here
Options
Related

Unable to Remove UNS Groups and Roles from UNSAccountB after Request Approval in Identity Manager v9.2

anil goktas

Hello,
I have integrated the UNS system using a custom REST API script on One Identity Manager v9.2.

  • User objects are added to the UNSAccountB table.

  • Group objects are added to the UNSGroupB table.

  • Role objects are added to the UNSGroupB1 table.

Additionally, I have created a new shelf under IT Shop and made all UNS system roles and groups available for request. The environment uses the default Identity Manager configuration.

When a group or role request is approved by the administrator, it is successfully added to the UNS system. However, when assigning a new role, I need to remove the previously assigned groups and roles.

I’m unable to delete these entries directly because the UNSAccountBHasUNSGroup and UNSAccountBHasUNSGroup1 tables contain IsInEffect and XOrigin values that prevent manual deletion via SQL.

When I attempt to change these values and delete the records manually, the corresponding groups and roles reappear after synchronization or system updates.

Request:
I would like to know the proper and supported method to remove UNSGroupB and UNSGroupB1 objects that were added to UNSAccountB via request — either:

  • manually through a recommended procedure, or

  • using Identity Manager process logic (if there is a built-in or recommended process for revocation).

Could you please advise on the correct approach or provide documentation for safely removing these UNS associations?

Environment Details:

  • One Identity Manager Version: 9.2

  • Integration Type: Custom REST API Script

  • Modules Used: UNSAccountB, UNSGroupB, UNSGroupB1, IT Shop

Parents

  • When you assign entitlements via the IT shop they will be assigned indirecty (xorigin's bit value set to 2)
    To properly remove the entilement you have to unsubscribe the assigned request (PersonWantsOrg).
    You dont'want to bypass the object/entity layer and use straight SQL this will make your system inconsistent.

    Example

    Public Sub CCC_CancelITShopRequest(ByVal ObjectKeyPWO As String, Optional ByVal Reason As String = "")
    Dim key As New DbObjectKey(ObjectKeyPWO)

    Dim pwo As IEntity = Nothing
    If Not Session.Source.TryGet(key, EntityLoadType.Interactive, pwo) Then Exit Sub

    Dim methodName As String = String.Empty
    Select Case pwo.GetValue("OrderState").String
        Case "OrderProduct", "OrderProlongate", "OrderUnsubscribe"
            methodName = "CancelOrder"
        Case "Assigned"
            methodName = "Unsubscribe"
    End Select

    If String.IsNullOrEmpty(methodName) Then Exit Sub

    If String.IsNullOrEmpty(Reason) Then Reason = "IT Shop request cancelled automatically."
		
    pwo.CallMethod(methodName, pwo.GetValue("UID_PersonOrdered").String, Reason)
    pwo.Save(Session)
End Sub


    For your use case if I understand correcty you want to assign a person to ony 1 role at a time.
    This is not something that IM offers OOTB. P.s. I don't know anything about your enviroment (user, role count) so this is just a quick outline of way I could think of...

    1 Using OOTB components
    Create 1 service item with a request property that contains a list of the roles a user can select only 1 role from list.
    If the user want's to change his role he need to unsubscribe first and then request is again.
    Create dynamic business roles per role with a where clause that checks if the user is assigned to a PWO with the request property containing the matching rolename

    pro: quick to setup, no customization
    con: many dyn roles with short recalc time could have perf. impact, user has to unsubscribe first, user is role-less when role is waiting for approval 

    2 Custom ShoppingCartOrder Check + extra approval policy step to unsubscribe curent assigned roles via custom script

    Create your own ShoppingCartOrder Check covering your requirements
    https://www.oneidentity.com/community/identity-manager/f/forum/37852/shoppingcartorder-check-customization
    In the approval policy add extra automatic approval: 'EX - Approvals to be made externally' to unsubscribe previous assigned roles.
    and use the to run your custom unsubscribe script.
    https://www.oneidentity.com/community/identity-manager/f/forum/39352/how-can-i-run-a-custom-script-before-personwantsorg-goes-to-unsubscribed-or-aborted

    con: advanced customization
    pro: beter UI experience

    3 Other option?
    Maybe other experts can share their opinion/experience on similar use case.

    And maybe also setup some extra policy/audit rule to double check if users are not assigned to 2 or more roles.

Reply

  • When you assign entitlements via the IT shop they will be assigned indirecty (xorigin's bit value set to 2)
    To properly remove the entilement you have to unsubscribe the assigned request (PersonWantsOrg).
    You dont'want to bypass the object/entity layer and use straight SQL this will make your system inconsistent.

    Example

    Public Sub CCC_CancelITShopRequest(ByVal ObjectKeyPWO As String, Optional ByVal Reason As String = "")
    Dim key As New DbObjectKey(ObjectKeyPWO)

    Dim pwo As IEntity = Nothing
    If Not Session.Source.TryGet(key, EntityLoadType.Interactive, pwo) Then Exit Sub

    Dim methodName As String = String.Empty
    Select Case pwo.GetValue("OrderState").String
        Case "OrderProduct", "OrderProlongate", "OrderUnsubscribe"
            methodName = "CancelOrder"
        Case "Assigned"
            methodName = "Unsubscribe"
    End Select

    If String.IsNullOrEmpty(methodName) Then Exit Sub

    If String.IsNullOrEmpty(Reason) Then Reason = "IT Shop request cancelled automatically."
		
    pwo.CallMethod(methodName, pwo.GetValue("UID_PersonOrdered").String, Reason)
    pwo.Save(Session)
End Sub


    For your use case if I understand correcty you want to assign a person to ony 1 role at a time.
    This is not something that IM offers OOTB. P.s. I don't know anything about your enviroment (user, role count) so this is just a quick outline of way I could think of...

    1 Using OOTB components
    Create 1 service item with a request property that contains a list of the roles a user can select only 1 role from list.
    If the user want's to change his role he need to unsubscribe first and then request is again.
    Create dynamic business roles per role with a where clause that checks if the user is assigned to a PWO with the request property containing the matching rolename

    pro: quick to setup, no customization
    con: many dyn roles with short recalc time could have perf. impact, user has to unsubscribe first, user is role-less when role is waiting for approval 

    2 Custom ShoppingCartOrder Check + extra approval policy step to unsubscribe curent assigned roles via custom script

    Create your own ShoppingCartOrder Check covering your requirements
    https://www.oneidentity.com/community/identity-manager/f/forum/37852/shoppingcartorder-check-customization
    In the approval policy add extra automatic approval: 'EX - Approvals to be made externally' to unsubscribe previous assigned roles.
    and use the to run your custom unsubscribe script.
    https://www.oneidentity.com/community/identity-manager/f/forum/39352/how-can-i-run-a-custom-script-before-personwantsorg-goes-to-unsubscribed-or-aborted

    con: advanced customization
    pro: beter UI experience

    3 Other option?
    Maybe other experts can share their opinion/experience on similar use case.

    And maybe also setup some extra policy/audit rule to double check if users are not assigned to 2 or more roles.

Children
No Data