Identity Manager

How to delete from UNSAccountBInUNSGroupB when assignement is indirect?

We've user with 3 groups assigned:

  • GA - through IT Shop (indirect)
  • GB - through IT Shop (indirect)
  • GC - through Manager (direct)

All above resides in UNSAccountBInUNSGroupB.

I'm trying to delete above with script:

Public Function TSB_UNSAccountBInUNSGroupB_Delete(ByVal UID_UNSAccountB As String, ByVal UID_UNSGroupB As String) As Boolean

    Dim UNSAccountBInUNSGroupB As IEntity = Nothing
    Dim f As ISqlFormatter = Connection.SqlFormatter
	If Session.Source.TryGet( Query.From("UNSAccountBInUNSGroupB") _
							  .Where(f.Comparison("UID_UNSAccountB", UID_UNSAccountB, ValType.String, CompareOperator.Equal, FormatterOptions.NonUnicodeLiterals)) _
							  .Where(f.Comparison("UID_UNSGroupB", UID_UNSGroupB, ValType.String, CompareOperator.Equal, FormatterOptions.NonUnicodeLiterals)) _
							  .SelectNonLobs, UNSAccountBInUNSGroupB )
		Dim deepDelete = UNSAccountBInUNSGroupB.DeepDelete(Session)
		Return True
	End If

    Return False

End Function

but I'm able to delete only GC assignement? How to delete two others?

  • You should cancel the request, so that the assignment will be deprovisioned.
  • Now, we are setting ValidUntil to date in the past for IT Shop request but it usually take cca. 5 min to IDM to get to know about this fact. Is it possible to cancel request faster?
  • I am trying not to repeat myself, but what version are you using?
  • Speaking generally, you cannot delete the inherited group membership you can only deal with the cause that lead to the membership. That's the whole point of having automated inherited memberships.

    • If the membership was the result of an Org (or Department, Cost Center, Location) membership, dann you have to remove this membership to loose the inherited membership. But be aware that you might loose more entitlements depending on your role definition.
    • If  the membership was a requested membership, end the request for the membership.

    But there OOTB functions that do kind of removal for example when you have denied membership attestations. The configuration parameter for your case would be QER\Attestation\AutoRemovalScope\GroupMembership and the scripts (for your case) is called VI_AttestationCase_RemoveGroupMembership triggered by the process VI_Attestation_AttestationCase_AutoRemoveMemberships . 

    You can use this as guidance how to deal with your problem.

    But please keep my advise in mind in regards to the inherited memberships and the potential collateral damage.