Version 8.3
Is it possible to get the value of a specific account attribute (multivalued) using a before operation on add / delete entitlement?
For example:
Thanks
You can use nativeIdentity from the accountRequest object and just iterate over identities links to find Link object with this nativeIdentity and application. This will give you access to all currently set attributes in the account. Something like that:
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Rule PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<Rule language="beanshell" name="Sample Before Operation Rule" type="WebServiceBeforeOperationRule">
<Source>
String nativeIdentity = provisioningPlan.getAccountRequests().get(0).getNativeIdentity();
Identity identity = provisioningPlan.getIdentity();
String appName = "SampleRest APP";
Link detectedLink;
for(Link link : identity.getLinks()) {
if(appName.equals(link.getApplicationName()) && nativeIdentity.equals(link.getNativeIdentity())) {
detectedLink = link;
}
}
String sampleLinkAttribute = detectedLink.getAttribute("sampleAttribute");
</Source>
</Rule>
after working out a solution arroud this example , i’am getting a null pointer on :
Identity identity = provisioningPlan.getIdentity();
NB: the remove entitlement is triggered when a role access is deleted
here below an example pf my provisioning plan :
<ProvisioningPlan nativeIdentity="XXXX" targetIntegration="XXX" trackingId="XXXXXXXXXXXXXX">
<AccountRequest application="XXX" nativeIdentity="XXXXXXXXXXXXXX" op="Modify">
<AttributeRequest name="XXX" op="Remove" value="XXX">
<Attributes>
<Map>
.
.
.
.
.
.
</Map>
</Attributes>
</ProvisioningPlan>
Try this instead
String nativeIdentityString= provisioningPlan.getNativeIdentity();
Identity identity = context.getObjectByName(Identity.class,nativeIdentityString);
is it possible tu use application name , and accountrequest native identity and filter to find the attribute ?
application = context.getObjectByName(Application.class, "app name");
.
.
.
.
Each account request is always for.single application which you can check eg by. accountRequest.getApplicationName(); and each account.re1uest contains list of AttributeRequests (1 attribute request for each attribute) which you can get by accountRequest.getAttributeRequests();
i was thinking for something more about :
QueryOptions Qo = new QueryOptions();
qo.setResultLimit(1);
Qo.addFilter(Filter.eq("application.name", appName));
Qo.addFilter(Filter.eq("identity.name", nativeIdentity));
Qo.addFilter(Filter.eq("nativeIdentity", accountnativeIdentity));
to limit the queries for retrieving the link and then get the attribute ?
@massinissa
Yes, you can use the filter for getting the data from Link object.
In 8.4 you can do that as Links are available as separate objects, I’m not so sure if in earlier versions it would work.
Hi @massinissa,
In the current version your link is available as a separate object itself so it should not be a problem to query it.
In earlier version where your Link object is not directly available there you can use “IdentityService” API to get the link directly if it is for the same identity on which your operation is triggered.
Let me know if you need further help.
Thanks
One note: If you do it this way, you should qo.setCloneResults(true) and qo.setCacheResults(false), which will cause Hibernate to fully detach the Link object from the session and make sure everything is loaded into memory.
You will run into strange and difficult-to-debug caching errors if you don’t. That same Link object is already loaded into the Hibernate cache elsewhere via the Identity whose access is being provisioned.
An alternative approach to getting values in your beforeOperation rule is to add it to the provisioningPlan as an accountRequest attribute.
You can use your before provisioning rule to add if to the accountRequest directly from the Identity as accountRequest.setArgument(string, string).
I wrote a blog post that addresses this for IDN, but the same code works for IIQ. Additionally, as SailPoint is trying to transition IIQ implementations to IDN, using this approach would mean less code changes should you ever migrate platforms:
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.