IdentityIQ Sailpoint Show only Active Manager in Workitem forwarding

            <entry key="ReassignmentRecipient">
              <value>
                <IdentityFilter name="ReassignmentRecipient" order="Ascending">
                  <FilterScript>
                    <Script>
                      <Source>
                        import sailpoint.object.Identity;
                        import sailpoint.object.QueryOptions;
                        import sailpoint.object.Filter;
                        import java.util.List;
                        import java.util.ArrayList;

                        Identity identity = context.getObjectById(Identity.class, loggedInUser);
                        if(identity == null){
                          identity = context.getObjectByName(Identity.class, loggedInUser);
                        }
                        QueryOptions qo = new QueryOptions();
                        List managers = new ArrayList();
                        int managerLevels = 2;
                        int maxIterations = 15;
                        if(identity != null){
                          int level = 0;
                          int iter = 0;
                          while((level &lt; managerLevels) &amp;&amp; (iter &lt; maxIterations)){
                             iter++;
                             Identity manager = identity.getManager();
                             if(null == manager)
                               break;
                             if(!manager.isInactive()){
                               managers.add(manager.getId());
                               level++;
                             }
                             identity = manager;
                          }
                        }
                        qo.addFilter(Filter.in("id",managers));
                        return qo;
                        </Source>
                    </Script>
                  </FilterScript>
                  <OrderBy>
                    <String>firstname</String>
                  </OrderBy>
                </IdentityFilter>
              </value>
            </entry>

            ownerNameSuggestBoxApprovalForward

            ownerNameSuggestBoxWorkItemListForward

Sailpoint IdentityIQ Request Details SQL

 Request Details Using SQL

 SELECT 
	SPT_IDENTITY_REQUEST.NAME AS REQUESTID,
    SPT_IDENTITY_REQUEST.COMPLETION_STATUS AS REQUESTIDSTATUS,
    '"'||SPT_IDENTITY_REQUEST_ITEM.APPLICATION||'"' AS APPLICATIONNAME,
    '"'||SPT_IDENTITY_REQUEST.TARGET_DISPLAY_NAME||'"' AS REQUESTEENAME,
    SPT_IDENTITY_REQUEST_ITEM.OPERATION AS OPERATION,
    SPT_IDENTITY_REQUEST_ITEM.PROVISIONING_STATE AS PROVISIONINGSTATE,
    '"'||SPT_IDENTITY_REQUEST_ITEM.NAME||'"' AS ATTRNAME,
    '"'||SPT_IDENTITY_REQUEST_ITEM.VALUE||'"' AS ATTRVALUE
    FROM SPT_IDENTITY_REQUEST,
		SPT_IDENTITY_REQUEST_ITEM 
    WHERE 
    SPT_IDENTITY_REQUEST.ID=SPT_IDENTITY_REQUEST_ITEM.IDENTITY_REQUEST_ID AND 
    SPT_IDENTITY_REQUEST.TYPE='AccessRequest' AND 
    SPT_IDENTITY_REQUEST_ITEM.PROVISIONING_STATE != 'Finished' AND 
    SPT_IDENTITY_REQUEST.COMPLETION_STATUS IN ('Failure','Incomplete') AND  
    SPT_IDENTITY_REQUEST_ITEM.OPERATION != 'Set' AND 
    ((CAST(SYS_EXTRACT_UTC(CURRENT_TIMESTAMP) AS DATE) - TO_DATE('1970-01-01 00:00:00','YYYY-MM-DD HH24:MI:SS')) * 86400*1000) -1*86400*1000 < SPT_IDENTITY_REQUEST.END_DATE

Sailpoint IdentityIQ Loopback Connector Configuration

Loopback Connector is used to manage the Workgroup & Capability of Sailpoint. This Connector is part of the SSF Framework.

Below Configuration is done to manage the WG which start with  "VIS"

• Ignore non correlated identities = true
• Ignore identities with no entitlements = true
• Identity filter = Workgroups.name.startsWith("VIS")

Account Customization Rule

List workgroupList = (List)object.getAttribute("workgroups.name");
List updatedWorkgroupList=new ArrayList();
if(!workgroupList.isEmpty()){
  for(String workgroupName:workgroupList){  
  if(workgroupName.startsWith("VIS")){
	updatedWorkgroupList.add(workgroupName);
  }  
 }
  if(!updatedWorkgroupList.isEmpty()){
	object.setAttribute("workgroups.name",updatedWorkgroupList);
	return object;
	}else{
	return null;
	}
}else{
return null;
}

 WorkGroup Customization Rule

import sailpoint.object.ManagedAttribute;
import java.util.Map;
import java.util.HashMap;
String workGroupName = (String) object.getAttribute("name");
if (workGroupName.startsWith("VIS")){
	object.put("privileged","Yes");
	object.setDisplayName(object.getAttribute("name"));
    object.setAttribute("description",(String)object.getAttribute("description"));
return object ;
}

Sailpoint IdentityIQ Database Multiplex Application Configuration

Sailpoint IdentityIQ Database Multiplex Application Configuration

APPLICATION --> ACCESS_NAME --> ACCOUNTS

Group Query : SELECT DISTINCT APPLICATION_ID,APPLICATION,ACCESS_ID,ACCESS_NAME,ACCESS_DESCRIPTION from VIS_APPLICATION order by ACCESS_NAME ASC

Account Query : SELECT IDENTIFICATION, USER_TYPE, NAME, LASTNAME, STATUS,EMAIL,APPLICATION,ACCESS_NAME FROM VIS_USER order by EMAIL ,APPLICATION,ACCESS_NAME

JDBCBuildMap / Build Map Rule

        import java.util.Map;     
        import sailpoint.connector.*;
	import sailpoint.object.Application;
	import org.apache.commons.logging.Log;
	import org.apache.commons.logging.LogFactory;
	import sailpoint.api.SailPointContext;
	
     Map map = JDBCConnector.buildMapFromResultSet(result, schema);  
     if (schema.getObjectType().compareTo(Connector.TYPE_ACCOUNT) == 0) {                   
		String applName = (String) map.get("APPLICATION");    
		String mergeAttribute = (String) map.get("EMAIL") + "_VIS " + applName;     
		map.put( "IIQSourceApplication","VIS" + applName);     
		map.put("mergeAttribute",mergeAttribute);		
     }else if (schema.getObjectType().compareTo(Connector.TYPE_GROUP) == 0) {
		String applName = (String) map.get("APPLICATION"); 	   
		String profilemergeAttribute = (String) map.get("ACCESS_NAME") + "_VIS " + applName;   	   
		map.put( "IIQSourceApplication","VIS" + applName);     
		map.put("profilemergeAttribute",profilemergeAttribute);
    }    
    return map;

ResourceObjectCustomization/Customization Rule

        import org.apache.commons.logging.Log;
	import org.apache.commons.logging.LogFactory;
	import sailpoint.api.SailPointContext;
	import sailpoint.object.Configuration;
	import sailpoint.object.ResourceObject;
	import sailpoint.tools.GeneralException;
		
	ResourceObject resourceObject = object;	
	String APP_STATUS_ATTRIBUTE = "STATUS";
	List ACTIVE_STATUS_LIST = new ArrayList( Arrays.asList("ENABLED", "Enabled", "enabled", "ENABLE", "Enable", "enable", "ACTIVE", "Active", "active") );
	String accountStatus = null;	
	if ("account".equals(object.getObjectType())) {	
		accountStatus = object.getAttribute(APP_STATUS_ATTRIBUTE);		
		if(ACTIVE_STATUS_LIST.contains(accountStatus) ){			
			resourceObject.setAttribute("IIQDisabled", false);			
		}else{			
			resourceObject.setAttribute("IIQDisabled", true);			
		}		
	}
	return resourceObject;

Sailpoint IdentityIQ Tomcat Upgrade

Sailpoint IdentityIQ Tomcat Upgrade (9.0.54) version

Upgrade Steps

1. Stop  tomcat services on each node
2. <copy the installer in tmp directory from local machine>
3. cd /tmp
4. cp apache-tomcat-9.0.54.zip /apps
5. cd /apps
6. unzip apache-tomcat-9.0.54.zip
7. rm -rf apache-tomcat-9.0.54.zip
8. chmod 777 -R apache-tomcat-9.0.54
9. mv tomcat bkp_apache-tomcat-8.5.34
10. mv apache-tomcat-9.0.54 tomcat
11. chmod 777 -R tomcat
12. cd /apps/bkp_apache-tomcat-8.5.34/bin
13. cp setenv.sh /apps/tomcat/bin
14. cd /apps/bkp_apache-tomcat-8.5.34/conf
15. cp tomcat-users.xml server.xml /apps/tomcat/conf
16. cp -R Catalina/ /apps/tomcat/conf
17. cd /apps/tomcat/conf
18. chmod 777 -R Catalina/

IIQ Application setup

1. cd /apps/tomcat/webapps
2. rm -rf examples docs
3. cd /apps/bkp_apache-tomcat-8.5.34/webapps
4. cp -R identityiq /apps/tomcat/webapps
5. cd /apps/tomcat/webapps
6. chmod 777 -R identityiq/

Repeat the all the above steps on each server.

Performance Tuning for Application Server Apache Tomcat for Sailpoint IdentityIQ

 Performance Tuning for Application  Server Apache Tomcat  for Sailpoint IdentityIQ

1. UI Server

Create a file with name setenv.sh inside /tomcat/bin Directory

# Begin settings to support SailPoint IdentityIQ application.

export CATALINA_OPTS="$CATALINA_OPTS -Xms512m"

export CATALINA_OPTS="$CATALINA_OPTS -Xmx4096m"

export CATALINA_OPTS="$CATALINA_OPTS -XX:MaxGCPauseMillis=200"

export CATALINA_OPTS="$CATALINA_OPTS -XX:+UseG1GC"

# Support time-out of LDAP pooled connections for 3 seconds to all LDAP servers.  

export CATALINA_OPTS="$CATALINA_OPTS -Dcom.sun.jndi.ldap.connect.pool.timeout=3000"  

export CATALINA_OPTS="$CATALINA_OPTS -Dcom.sun.jndi.ldap.connect.pool.protocol='plain ssl'"  

export CATALINA_OPTS="$CATALINA_OPTS -Dcom.sun.jndi.ldap.connect.pool.authentication='none simple DIGEST-MD5'"  

export CATALINA_OUT=/logs/tomcat/catalina.out

# -End- settings to support SailPoint IdentityIQ application.  

export JAVA_OPTS="$JAVA_OPTS -Dhttp.proxyHost=<proxy server>"

export JAVA_OPTS="$JAVA_OPTS -Dhttp.proxyPort=<port>"

export JAVA_OPTS="$JAVA_OPTS -Dhttp.nonProxyHosts=*.company.com\|abcd"

Comment the below line from tomcat/conf/server.xml file

<Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443"  maxThreads="512"/>

Perform below steps for rewrite URL

Add line - <Valve className="org.apache.catalina.valves.rewrite.RewriteValve" /> in server.xml

/apps/tomcat/conf/Catalina/localhost/rewrite.config 

RewriteCond %{HTTP_HOST}  ^abcd.*

RewriteRule ^/$ /identityiq

2. Task Server

Create a file with name setenv.sh inside /tomcat/bin Directory

# Begin settings to support SailPoint IdentityIQ application.

export CATALINA_OPTS="$CATALINA_OPTS -Xms1024m"

export CATALINA_OPTS="$CATALINA_OPTS -Xmx6144m"

export CATALINA_OPTS="$CATALINA_OPTS -XX:+UseParallelGC"

# Support time-out of LDAP pooled connections for 3 seconds to all LDAP servers.  

export CATALINA_OPTS="$CATALINA_OPTS -Dcom.sun.jndi.ldap.connect.pool.timeout=3000"  

export CATALINA_OPTS="$CATALINA_OPTS -Dcom.sun.jndi.ldap.connect.pool.protocol='plain ssl'"  

export CATALINA_OPTS="$CATALINA_OPTS -Dcom.sun.jndi.ldap.connect.pool.authentication='none simple DIGEST-MD5'"  

export CATALINA_OUT=/logs/tomcat/catalina.out

# -End- settings to support SailPoint IdentityIQ application.

export JAVA_OPTS="$JAVA_OPTS -Dhttp.proxyHost=<proxy server>"

export JAVA_OPTS="$JAVA_OPTS -Dhttp.proxyPort=<port>"

export JAVA_OPTS="$JAVA_OPTS -Dhttp.nonProxyHosts=*.company.com\|abcd"

3. All Server

Remove docs and examples directory from /apps/tomcat/webapps

Set tomcat/conf/tomcat-users.xml with proper username and password

Create Directory /logs/tomcat

Sailpoint IdentityIQ Database Performance Tests

Sailpoint IdentityIQ Database Performance Tests

Rule is Available in Community Site "https://community.sailpoint.com/t5/Other-Documents/IdentityIQ-Database-Performance-Tests/ta-p/78060"

Just Rule need to be Imported and can be Run using the debug Page/ Console/Rule Runner Task

2021-10-19 15:27:40,886 DEBUG http-nio-8080-exec-2 com.sailpoint.IIQDBPerformanceTest:? - IdentityIQ Database Performance Test starting

2021-10-19 15:27:40,886 DEBUG http-nio-8080-exec-2 com.sailpoint.IIQDBPerformanceTest:? - IdentityIQ Version: 7.3p3 6a66e78-20190718-230225

2021-10-19 15:27:40,887 DEBUG http-nio-8080-exec-2 com.sailpoint.IIQDBPerformanceTest:? - DB Performance Test Rule version: 20190827

2021-10-19 15:27:40,887 DEBUG http-nio-8080-exec-2 com.sailpoint.IIQDBPerformanceTest:? - Executed from Host: XXXX.vishal.com

2021-10-19 15:27:40,887 DEBUG http-nio-8080-exec-2 com.sailpoint.IIQDBPerformanceTest:? - Executed on Date: 2021-10-19 15:27:40.864

2021-10-19 15:27:40,887 DEBUG http-nio-8080-exec-2 com.sailpoint.IIQDBPerformanceTest:? - Populating 1k, 4k, 8k data set HashMaps for 1000 records...

2021-10-19 15:28:16,134 DEBUG http-nio-8080-exec-2 com.sailpoint.IIQDBPerformanceTest:? - Data set HashMaps populated.

2021-10-19 15:28:16,135 DEBUG http-nio-8080-exec-2 com.sailpoint.IIQDBPerformanceTest:? - Testing 1k data set...

2021-10-19 15:28:19,814 DEBUG http-nio-8080-exec-2 com.sailpoint.IIQDBPerformanceTest:? - Completed 1k data set.

2021-10-19 15:28:19,815 DEBUG http-nio-8080-exec-2 com.sailpoint.IIQDBPerformanceTest:? - Testing 4k data set...

2021-10-19 15:28:26,533 DEBUG http-nio-8080-exec-2 com.sailpoint.IIQDBPerformanceTest:? - Completed 4k data set.

2021-10-19 15:28:26,534 DEBUG http-nio-8080-exec-2 com.sailpoint.IIQDBPerformanceTest:? - Testing 8k data set...

2021-10-19 15:28:36,435 DEBUG http-nio-8080-exec-2 com.sailpoint.IIQDBPerformanceTest:? - Completed 8k data set.

2021-10-19 15:28:36,466 DEBUG http-nio-8080-exec-2 com.sailpoint.IIQDBPerformanceTest:? - Meter Summary:

Meter Generate-IIQDB-Test-DataSets: 1 calls, 35246 milliseconds, 35246 minimum, 35246 maximum, 35246 average, top five [35246]

Meter IIQDB-Test-DataSet-1k-All: 1 calls, 3663 milliseconds, 3663 minimum, 3663 maximum, 3663 average, top five [3663]

Meter IIQDB-Test-DataSet-1k-Item: 1000 calls, 3647 milliseconds, 1 minimum, 343 maximum, 3 average, top five [343,95,63,14,13]

Meter IIQDB-Test-DataSet-4k-All: 1 calls, 6718 milliseconds, 6718 minimum, 6718 maximum, 6718 average, top five [6718]

Meter IIQDB-Test-DataSet-4k-Item: 1000 calls, 6694 milliseconds, 4 minimum, 82 maximum, 6 average, top five [82,76,67,25,22]

Meter IIQDB-Test-DataSet-8k-All: 1 calls, 9901 milliseconds, 9901 minimum, 9901 maximum, 9901 average, top five [9901]

Meter IIQDB-Test-DataSet-8k-Item: 1000 calls, 9882 milliseconds, 7 minimum, 126 maximum, 9 average, top five [126,109,70,31,30]

Meter getConnection: 0 calls, 0 milliseconds, -1 minimum, 0 maximum, 0 average, top five ]



2021-10-19 15:28:36,467 DEBUG http-nio-8080-exec-2 com.sailpoint.IIQDBPerformanceTest:? - Cleaning up test objects in the database...

2021-10-19 15:28:52,430 DEBUG http-nio-8080-exec-2 com.sailpoint.IIQDBPerformanceTest:? - Completed cleanup of DB Performance Test records: 15960 milliseconds.


2021-10-19 15:28:52,431 DEBUG http-nio-8080-exec-2 com.sailpoint.IIQDBPerformanceTest:? - IdentityIQ Database Performance Test done

Above is the Output from the IIQ Logs , based on the Sailpoint Recommendation if the values lies below set Database and IIQ connectivity is good

1k - 9 milliseconds

4k - 17 milliseconds

8k - 20 milliseconds

 

Sailpoint IdentityIQ Group Aggregation Refresh Rule

Sailpoint IdentityIQ Group Aggregation Refresh Rule/GroupAggregationRefresh is used to set the value for the Entitlement from Target to the Entitlement Catalogue . Code is modified to take care of the update scenario also. 

	import sailpoint.object.ResourceObject;
	import sailpoint.object.ManagedAttribute;
	import sailpoint.object.Identity;

	int TIME_DIFFERENCE = 300000; // Five minutes
	
	Date modifiedDate = accountGroup.getModified();
	Date createdDate = accountGroup.getCreated();
	boolean entitlementCreated = false;
	
	if(createdDate!=null){
		
		if(modifiedDate != null){
			
			long difference = modifiedDate.getTime() - createdDate.getTime();
			if(difference <= TIME_DIFFERENCE){			
				entitlementCreated = true;				
			}
		} else {			
			entitlementCreated = true;
		}	
	} else {
	}
	if(entitlementCreated){
		Map descMap = new HashMap();
		String descriptionValue = accountGroup.getAttribute("description");
		
		if(null != descriptionValue)
			descMap.put("en_US",descriptionValue);
		else
			descMap.put("en_US","");
		accountGroup.setAttribute("sysDescriptions",descMap);	
	}
	
	Map descMap = new HashMap();
	String descriptionValue = accountGroup.getAttribute("description");
	
	if(null != descriptionValue)
		descMap.put("en_US",descriptionValue);
	else
		descMap.put("en_US","");
	
	accountGroup.setAttribute("sysDescriptions",descMap);
	String displayName = accountGroup.getAttribute("description");
	accountGroup.setDisplayName(displayName);

	return accountGroup;

Sailpoint Identity IQ SQL Query to get the Users Details for Identity Having Multiple Account in same Application

 SQL Query to get the Users Having multiple Account in Same Application 

Select count(*) ,
SPT_APPLICATION.NAME AS APPLICATION_NAME ,
SPT_IDENTITY.name AS IDENTITY_NAME , 
SPT_IDENTITY.ID AS IDENTITY_ID , 
SPT_APPLICATION.ID AS APPLICATION_ID
from SPT_LINK , SPT_IDENTITY , SPT_APPLICATION 
where 
SPT_IDENTITY.ID=SPT_LINK.IDENTITY_ID and
SPT_APPLICATION.ID=SPT_LINK.APPLICATION and 
SPT_IDENTITY.CORRELATED=1 and 
SPT_APPLICATION.NAME not in ('Active Directory Corp')
--and SPT_IDENTITY.NAME like 'VKEJRIWAL'
group by SPT_IDENTITY.name , SPT_APPLICATION.NAME  ,SPT_IDENTITY.ID , SPT_APPLICATION.ID
HAVING COUNT(*)>1
order by SPT_APPLICATION.NAME ,SPT_IDENTITY.name

Query to get the Status of above Account

SELECT SPT_LINK.NATIVE_IDENTITY ,VIS_TEMP.APPLICATION_NAME,EXP_TEMP.IDENTITY_NAME,
SPT_LINK.DISPLAY_NAME ,EXP_TEMP.IDENTITY_ID,EXP_TEMP.APPLICATION_ID,
EXTRACT(xmltype(ATTRIBUTES),'/Attributes/Map/entry[@key=''IIQDisabled'']/value') AS STATUS
from SPT_LINK , VIS_TEMP
where SPT_LINK.IDENTITY_ID=VIS_TEMP.IDENTITY_ID
and SPT_LINK.APPLICATION=VIS_TEMP.APPLICATION_ID
--and  EXP_TEMP.IDENTITY_NAME like 'VKEJRIWAL'

 SQL Query to get Entitlement tied to above Accounts 

Select 
VIS_TEMP.APPLICATION_NAME,
VIS_TEMP.IDENTITY_NAME,
SPT_IDENTITY_ENTITLEMENT.NATIVE_IDENTITY,
SPT_IDENTITY_ENTITLEMENT.DISPLAY_NAME,
VIS_TEMP.IDENTITY_ID ,
SPT_MANAGED_ATTRIBUTE.VALUE,

from SPT_IDENTITY_ENTITLEMENT,VIS_TEMP,SPT_MANAGED_ATTRIBUTE, SPT_APPLICATION
where
SPT_IDENTITY_ENTITLEMENT.IDENTITY_ID=VIS_TEMP.IDENTITY_ID
and SPT_MANAGED_ATTRIBUTE.VALUE=SPT_IDENTITY_ENTITLEMENT.VALUE
and SPT_MANAGED_ATTRIBUTE.APPLICATION=SPT_IDENTITY_ENTITLEMENT.APPLICATION
and SPT_APPLICATION.ID=SPT_MANAGED_ATTRIBUTE.APPLICATION
and SPT_APPLICATION.ID=SPT_IDENTITY_ENTITLEMENT.APPLICATION
and SPT_APPLICATION.NAME=VIS_TEMP.APPLICATION_NAME

order by VIS_TEMP.IDENTITY_NAME,VIS_TEMP.APPLICATION_NAME

Removing Role and Entitlement Assignment using Sailpoint IIQ API

 Removing Role and Entitlement Attribute Assignment using Sailpoint IIQ API

public removeRoleAssignments(String identityName, ProvisioningProject project){
    	
	Identity identity = context.getObjectByName(Identity.class, identityName);
	if (identity != null){
		ProvisioningPlan plan = project.getMasterPlan();
		AccountRequest accountRequest;
		List attributeRequests = new ArrayList();        
		if( plan != null){					  
			List accountRequestList = new ArrayList();			
			accountRequestList = plan.getAccountRequests("IIQ");
			accountRequestList.addAll(plan.getAccountRequests("IdentityIQ"));
			if(accountRequestList != null && !accountRequestList.isEmpty()){			  
				for(AccountRequest account: accountRequestList){									
					ProvisioningPlan roleRemovalplan = new ProvisioningPlan();              
					roleRemovalplan.setIdentity(identity);         
					if(account != null){
						List roleAttributeRequests = new ArrayList();
						attributeRequests = account.getAttributeRequests("assignedRoles");
						if(attributeRequests != null && !attributeRequests.isEmpty() ){
							AccountRequest roleRequest = new AccountRequest(AccountRequest.Operation.Modify, ProvisioningPlan.APP_IIQ, null, identity.getName());							
							for(AttributeRequest attributeRequest : attributeRequests) {														
								roleAttributeRequests.add(new AttributeRequest(ProvisioningPlan.ATT_IIQ_ASSIGNED_ROLES, ProvisioningPlan.Operation.Remove, attributeRequest.getValue()));							
							}
							roleRequest.addAll(roleAttributeRequests);
							roleRemovalplan.add(roleRequest);														
							Provisioner provisioner = new Provisioner(context);
							provisioner.setNoRoleExpansion(true);
							provisioner.execute(roleRemovalplan);			
						}		
					}              
				}               
			}             
		}		  
		context.saveObject(identity);      
		context.commitTransaction();
    }
}

public removeAttributeAssignments(String identityName, ProvisioningProject project){

    Identity identity = context.getObjectByName(Identity.class, identityName);
    boolean updateRequired = false;
	String createOperation="Create";
    if(null !=identity){
      List attrAssignments = identity.getAttributeAssignments();
      if(Util.nullSafeSize(attrAssignments)>0){       
        List attrAssigns = new ArrayList(attrAssignments);   
        if(project != null){
			List expPlans = project.getPlans();
			List accountRequestList = new ArrayList();
			for(ProvisioningPlan expPlan : Util.safeIterable(expPlans)){
            String source;
            source=expPlan.getSource();
            accountRequestList = expPlan.getAccountRequests();
				for(AccountRequest accRequest : Util.safeIterable(accountRequestList)){
				String operation=accRequest.getOp().toString();							  
					if(!Util.nullSafeCaseInsensitiveEq(createOperation,operation)){             
						for(AttributeRequest attrReq : Util.safeIterable(accRequest.getAttributeRequests())){
							if(attrReq!=null && "Remove".equalsIgnoreCase(attrReq.getOp().toString())){
								String requestedgrp = attrReq.getValue(context).toString();
								for (AttributeAssignment attrAssignment : attrAssigns){
								String attAssignmentValue=attrAssignment.getValue();
									if(Util.nullSafeCaseInsensitiveEq(attAssignmentValue,requestedgrp) && (Util.nullSafeCaseInsensitiveEq("LCM",source)||Util.nullSafeCaseInsensitiveEq("Batch",source))){
									attrAssignments.remove(attrAssignment);
									updateRequired = true;
									}
								}
							} 
						}
					}
				}
			}
        }
      }
      if (updateRequired) {
        identity.setAttributeAssignments(attrAssignments);
        context.saveObject(identity);
        context.commitTransaction();
      }
    }
  }

Sailpoint IdentityIQ Web Service Connector Configuration

 Sailpoint IdentityIQ Web Service Connector

Group Data
  
<?xml version='1.0' encoding='UTF-8'?>
<results preview='0'>
    <meta>
        <fieldOrder>
            <field>ID</field>
            <field>ATTR</field>
            <field>ATVAL</field>
        </fieldOrder>
    </meta>
    <messages>
        <msg type="DEBUG">Data informtaion</msg>
        <msg type="INFO">Your timerange was substituted based on your search string</msg>
    </messages>
    <result offset='0'>
        <field k='ID'>
            <value h='1'>
                <text>3-Role1</text>
            </value>
        </field>
        <field k='ATTR'>
            <value h='1'>
                <text>PROFILE</text>
            </value>
        </field>
        <field k='ATVAL'>
            <value>
                <text>Role one</text>
            </value>
        </field>
    </result>
    <result offset='1'>
        <field k='ID'>
            <value h='1'>
                <text>3-Role2</text>
            </value>
        </field>
        <field k='ATTR'>
            <value h='1'>
                <text>PROFILE</text>
            </value>
        </field>
        <field k='ATVAL'>
            <value>
                <text>Role two</text>
            </value>
        </field>
    </result>
</results>

Account Data

<?xml version='1.0' encoding='UTF-8'?>
<results preview='0'>
    <meta>
        <fieldOrder>
            <field>ID</field>
            <field>USERLIST</field>
            <field>UserNameInProfile</field>
            <field>EmployeeNumberProfile</field>
        </fieldOrder>
    </meta>
    <messages>
        <msg type="DEBUG">Data informtaion</msg>
        <msg type="INFO">Your timerange was substituted based on your search string</msg>
    </messages>
    <result offset='0'>
        <field k='ID'>
            <value h='1'>
                <text>3-Role1,3-Role2,3-Role3,3-Role4</text>
            </value>
        </field>
        <field k='USERLIST'>
            <value>
                <text>ABC123</text>
            </value>
        </field>
        <field k='UserNameInProfile'>
            <value>
                <text>VISHAL KEJRIWAL</text>
            </value>
        </field>
        <field k='EmployeeNumberProfile'>
            <value h='1'>
                <text>ABC123</text>
            </value>
        </field>
    </result>
    <result offset='1'>
        <field k='ID'>
            <value h='1'>
                <text>3-Role1,3-ROLE3</text>
            </value>
        </field>
        <field k='USERLIST'>
            <value>
                <text>XYZ123</text>
            </value>
        </field>
        <field k='UserNameInProfile'>
            <value>
                <text>VIS KEJ</text>
            </value>
        </field>
        <field k='EmployeeNumberProfile'>
            <value h='1'>
                <text>XYZ123</text>
            </value>
        </field>
    </result>
</results>

Schema Mapping 

Adding Group and Account Aggregation Operation

Context URL : URL to fetch data , this need to be same as URL use to fetch data from any API client

Header 

Content-Type : text/XML

Response

Response Attribute Mapping 

PROFILE :field[1]/value/text

Attribute : field[2]/value/text

ProfileName : field[3]/value/text

Root Path

//results/result

Sucessful Response Code 

2**

Similar Step need to be followed for Account Aggregation 

Sample WebServiceBeforeOperationRule  if Endpoint URL need to be modified

  import org.apache.commons.logging.Log;
  import org.apache.commons.logging.LogFactory;
  import java.io.IOException;
  import java.net.URI;
  import java.net.URISyntaxException;
  import org.apache.http.HttpHeaders;
  import org.apache.http.HttpResponse;
  import org.apache.http.client.ClientProtocolException;
  import org.apache.http.client.HttpClient;
  import org.apache.http.client.methods.HttpPost;
  import org.apache.http.client.utils.URIBuilder;
  import org.apache.http.entity.StringEntity;
  import org.apache.http.impl.client.HttpClients;
  import org.apache.http.client.entity.UrlEncodedFormEntity;
  import org.apache.http.message.BasicNameValuePair;
  import org.apache.http.util.EntityUtils;

  String SEARCH_QUERY ="search index=cleanup RECTYPE=NME ID=3-* earliest=@w0  ATTR=PROFILE | table  ID ATTR ATVAL";

  try {
    List visUrlEncoded = new ArrayList();
     visUrlEncoded.add(new BasicNameValuePair("search", SEARCH_QUERY));	
     UrlEncodedFormEntity visUrlEncodedEntity = new UrlEncodedFormEntity(visUrlEncoded);

    String visFinalURL = requestEndPoint.getFullUrl()+EntityUtils.toString(visUrlEncodedEntity);
    requestEndPoint.setFullUrl(visFinalURL);
  }
  catch (Exception exception) {
    log.error("Exception Occured: " + exception);
  }
  return requestEndPoint;