• State Suggested Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 93 subscribers
  • Views 5335 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to delete from UNSAccountBInUNSGroupB when assignement is indirect?

p.noga
over 6 years ago

We've user with 3 groups assigned:

  • GA - through IT Shop (indirect)
  • GB - through IT Shop (indirect)
  • GC - through Manager (direct)

All above resides in UNSAccountBInUNSGroupB.

I'm trying to delete above with script:

Public Function TSB_UNSAccountBInUNSGroupB_Delete(ByVal UID_UNSAccountB As String, ByVal UID_UNSGroupB As String) As Boolean

    Dim UNSAccountBInUNSGroupB As IEntity = Nothing
    Dim f As ISqlFormatter = Connection.SqlFormatter
	
	If Session.Source.TryGet( Query.From("UNSAccountBInUNSGroupB") _
							  .Where(f.Comparison("UID_UNSAccountB", UID_UNSAccountB, ValType.String, CompareOperator.Equal, FormatterOptions.NonUnicodeLiterals)) _
							  .Where(f.Comparison("UID_UNSGroupB", UID_UNSGroupB, ValType.String, CompareOperator.Equal, FormatterOptions.NonUnicodeLiterals)) _
							  .SelectNonLobs, UNSAccountBInUNSGroupB )
		Dim deepDelete = UNSAccountBInUNSGroupB.DeepDelete(Session)
		deepDelete.Execute(Session)
		Return True
	End If

    Return False

End Function

but I'm able to delete only GC assignement? How to delete two others?

  • 0 over 6 years ago
    You should cancel the request, so that the assignment will be deprovisioned.
  • 0 over 6 years ago
    Now, we are setting ValidUntil to date in the past for IT Shop request but it usually take cca. 5 min to IDM to get to know about this fact. Is it possible to cancel request faster?
  • 0 over 6 years ago
    I am trying not to repeat myself, but what version are you using?
  • 0 over 6 years ago

    Speaking generally, you cannot delete the inherited group membership you can only deal with the cause that lead to the membership. That's the whole point of having automated inherited memberships.

    • If the membership was the result of an Org (or Department, Cost Center, Location) membership, dann you have to remove this membership to loose the inherited membership. But be aware that you might loose more entitlements depending on your role definition.
    • If  the membership was a requested membership, end the request for the membership.

    But there OOTB functions that do kind of removal for example when you have denied membership attestations. The configuration parameter for your case would be QER\Attestation\AutoRemovalScope\GroupMembership and the scripts (for your case) is called VI_AttestationCase_RemoveGroupMembership triggered by the process VI_Attestation_AttestationCase_AutoRemoveMemberships . 

    You can use this as guidance how to deal with your problem.

    But please keep my advise in mind in regards to the inherited memberships and the potential collateral damage.