Managing Leaver Process
SAP does not support the Disable operation for the IAG application, but a delete operation is supported. SailPoint Identity Security Cloud does not show the Delete operation in its UI, therefore a before provisioning rule must be implemented to convert the Disable call from the SailPoint platform to a Delete call.
To perform the delete operation, complete the following:
-
Create lifecycle state with the name "delete".
-
Do no assigne any access profiles to this lifecycle state.
-
Configure a before provisioning rule as in the following example, to map "delete" lifecycle state to the connector's delete operation:
Copy<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Rule PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<Rule language="beanshell" name="Change_disable_to_delete" type="BeforeProvisioning">
<Description>BP rule for changing disable account request to delete in SAC connector</Description>
<Source><![CDATA[
try {
import sailpoint.object.ProvisioningPlan;
import sailpoint.object.ProvisioningPlan.Operation;
import sailpoint.object.Identity;
import sailpoint.object.ProvisioningPlan.AccountRequest;
import sailpoint.object.ProvisioningPlan.AccountRequest.Operation;
import sailpoint.object.ProvisioningPlan.AttributeRequest;
if (plan != null) {
log.warn("In IAG BP rule Convert disable to delete");
Identity identity = plan.getIdentity();
log.warn("Identity name is: " + identity.getName());
String lcs = identity.getStringAttribute("cloudLifecycleState");
String appName = application.getName();
log.warn("Application name is: " + appName);
log.warn("Identity lcs value: " + lcs);
// Get account request
AccountRequest accountRequest = plan.getAccountRequests().get(0);
// Change disable request to Delete
if (lcs.equals("delete")) {
accountRequest.setOperation(AccountRequest.Operation.Delete);
}
}
} catch (Exception e) {
log.error("Error in BP rule: ", e);
}
]]></Source>
</Rule> -
Assign the "delete" lifecycle state to an identity.
This will delete an account from the SAP IAG application.