Over time you can end up with many entitlements as requestable. Yes is possible to set the flag via the aggregation, but we need a rule to bulk set this per application.
Here’s the code, just replace the APP NAME
import sailpoint.object.*;
import org.apache.log4j.Level;
import org.apache.log4j.Logger;
import sailpoint.tools.Util;
appName = "APP NAME";
Logger log = Logger.getLogger("org.rpc.rules");
log.setLevel(Level.DEBUG);
log.debug("We process");
int counter = 0;
int decacheNumber = 10;
Iterator iter = null;
try {
log.debug("We process app:" + appName);
QueryOptions opsMan = new QueryOptions();
opsMan.addFilter(Filter.eq("application.name", appName));
opsMan.addFilter(Filter.eq("requestable", true));
opsMan.setCloneResults(true);
iter = context.search(ManagedAttribute.class, opsMan);
while (iter.hasNext()) {
ManagedAttribute ma = (ManagedAttribute) iter.next();
ma.setRequestable(false);
context.saveObject(ma);
counter++;
// Commit every few records.
if (0 == (counter % decacheNumber)) {
context.commitTransaction();
context.decache();
log.debug("We decache");
}
}
} catch (Exception e) {
log.debug(e);
} finally {
context.commitTransaction();
context.decache();
if (iter != null) Util.flushIterator(iter);
}
log.debug("We processed:" + counter);
Good rule,
I would add one thing - it’s also quite good idea to use ManagedAttributePromotion Rule in order to set entitlement as non requestable as soon as it is detected in the source/target system.
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Rule PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<Rule language="beanshell" name="Set Non Requestable Entitlements" type="ManagedAttributePromotion">
<Description>A ManagedAttributePromotion rule is called when ManagedAttributes are automatically created during aggregation, refresh, or from the missing entitlement descriptions task.
This can modify the ManagedAttribute that is passed in to set fields such as owner, requestable, or explanations before they are saved.</Description>
<Signature>
<Inputs>
<Argument name="log" type="org.apache.commons.logging.Log">
<Description>
The log object associated with the SailPointContext.
</Description>
</Argument>
<Argument name="context" type="sailpoint.api.SailPointContext">
<Description>
A sailpoint.api.SailPointContext object that can be used to query the database if necessary.
</Description>
</Argument>
<Argument name="attribute">
<Description>
The sailpoint.object.ManagedAttribute to modify during promotion.
</Description>
</Argument>
<Argument name="application">
<Description>
The sailpoint.object.Application the managed attribute is from.
</Description>
</Argument>
<Argument name="state" type="Map">
<Description>
A Map that contains managed attribute promotion shared state during a task run.
</Description>
</Argument>
</Inputs>
</Signature>
<Source>
attribute.setRequestable(false);
</Source>
</Rule>
Yes we can add the application aggregation task.
We can create a rule to set the entitlement as not requestable and reference this rule in the option “Group Aggregation Refresh Rule”.
We really wanted to set if via group aggregation, but we have 600+ applications, so we used this rule to loop through the apps and set it for all entitlements.
I think if this is one time process better to have standalone code to set these values rather then writing in some other place which will get invoked every time .
their are multiple ways of doing the same thing but identifying the best way based on the requirement is more important keeping in mind pro and cons .