Access certification properties in rule

I have a targeted certification and in the “Who do you want to Certify” section I have it set to a rule. I need to be able to get some of the targeted certificates properties in the rule, things like the name of the role that I’m certifying, etc. Does any one have an idea on how to do that?


Can you expand on your requirements on what you’re trying to scope/filter? Rule-based scoping should generally be a last-resort as Certification rules can be pretty tricky.

Barring that, I generally first reference the rule args available in the rule:
And if needed, do a namespace dump to see what objects are available to use as well:

With those 2 pieces of information, I them plan out what I need to do given what I have to work with.

Thanks for the reply and the links. For some reason I can’t access the links, I get an Access Denied.

Basically, the requirement is to certify the owners of LDAP roles. I created a rule that queries LDAP to get the owners of the role and I use that in the targeted certification. In would like to be able to retrieve the name of the role that has been selected in the targeted certification so I can use that role name in my LDAP query. I assumed the role name was in the args somewhere, just not sure how to access it from the rule.
I’m pretty new to SailPoint so I may be going about this all wrong

Thanks again

Interesting - have you signed up on Compass yet? That’s where the IIQ downloads and most of the whitepaper docs are. If you can’t access that, you might need to reach out to your CSM or email [email protected].

Regarding the certification - can you explain what you mean by LDAP Roles? Are those IIQ roles containing LDAP groups (entitlements), stand-alone/individual LDAP groups, or something else entirely? Odds are that there is a Types of Certification that is more relevant to your use-case (and most of those can also be configured through the Targeted Certification). Of particular note: Entitlement Owner, Role Membership, or Role Composition may be more appropriate for your use-case.

As a final note, doing something like an LDAP query is a pretty expensive operation, and most certification rules are run a lot when generating or transitioning a campaign, so that is likely to lead to a pretty significant performance hit.

Yep, I’m signed up with Compass but I’ll touch base with the help desk
Yea, the LDAP roles are stand-alone/individual LDAP groups.
I looked at the different types of Certifications and it sounded like the only certification that would allow rules to populate the “Who do you want to certify” section was the targeted certification.
Guess I just need to find a way to list out the args, hopefully I can get to the documents you listed after I contact the help desk

So you will likely be looking for something more geared towards the Entitlement Owner type of certification. You can also do a pretty close approximation of this via Targeted access review if needed by altering the What do you want to certify? section to define the in-scope entitlements/applications, and the Choose Certifier as the Owner → Entitlement Owner.

Note that to populate the Entitlement Owner in the Entitlement Catalog based on LDAP data, you can use a GroupAggregationRefresh rule, which will have the just-aggregated LDAP info readily available to find and set the owner.

K, thanks. I’ll take a look at that

1 Like

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.