Add Filter to Access Request

brunoocarvalho · July 29, 2024, 1:52pm

Which IIQ version are you inquiring about?

Version 8.3

Share all details related to your problem, including any error messages you may have received.

Hello!

We have an attribute defined on the applications that is used by users to identify the application. So, in Access Requests, we would like to allow users to filter entitlements based on this attribute.

On the following step of the access request, we would like to add another box, where users could provide this attribute, and it would display all the entitlements from the application that has the matching attribute.

Would it be possible to add this filter? If so, what files would need to be modified to include this change?

abartkowski · July 29, 2024, 1:58pm

Hi @brunoocarvalho!

Such a solution is not possible out-of-the-box. To extend the logic in this area, you can take inspiration from this plugin: Hide User Access Filter. This plugin hides certain elements, and I believe that in a similar way, you can add additional elements to this view. In any case, such a template will definitely make the work easier, as there is no need to implement everything from scratch.

Best Regards,
Adam

vishal_kejriwal1 · July 29, 2024, 5:20pm

All these filter you see are the extended attribute on the Managed Attribute Object , why don’t you add a new field on managed attribute despite of application object ?

brunoocarvalho · July 31, 2024, 11:04am

Hello,

By editing the Object Config of Managed Attributes, I managed to add the input field.

But when I try to input something it throws the error: could not resolve property: code of: sailpoint.object.ManagedAttribute

The code that I want to filter by is not defined on the ManagedAttribute object, it is part of the Applications attributes.

Would it be possible to still include this filter here but include some logic to choose the entitlements that match the application with the provided code, or would I need to resort the plugin suggestion?

vishal_kejriwal1 · July 31, 2024, 12:20pm

You need to add new attribute in hbm file , then you need to generate the sql to modify manged attribute table and then finally you need to add attribute in Manger attribute configuration .
If you don’t want above step you can use already available extended attribute

I would say look into document , how to add new searchable extended attribute .

vishal_kejriwal1 · July 31, 2024, 12:22pm

Can you paste the xml what you have added ? Or you can add directly extended attribute .

brunoocarvalho · August 1, 2024, 1:11pm

This is the ManagedAttribute.xml

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE ObjectConfig PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<ObjectConfig name="ManagedAttribute">
	<ObjectAttribute categoryName="Joiner" defaultValue="" displayName="Birthright Entitlement" editMode="Permanent" name="isBirthright" namedColumn="true">
		<Description>Exclude Birthright Entitlements</Description>
	</ObjectAttribute>
	<ObjectAttribute categoryName="Joiner" defaultValue="" displayName="Birthright Populations" editMode="Permanent" name="apbirthrightPopulations">
		<Description>Comma Separated Birthright Populations - Will be used for Birthright Role Automation</Description>
	</ObjectAttribute>
	<ObjectAttribute categoryName="Aggregation" defaultValue="" displayName="Manual Override" editMode="Permanent" name="manualOverride" namedColumn="true">
		<Description>Manual Override Entitlemnet Birthright, Privileged, and Logical Application Settings</Description>
	</ObjectAttribute>
	<ObjectAttribute categoryName="Approval" displayName="1st Level Business Approvers" editMode="Permanent" name="entBusApprovers" namedColumn="true">
		<Description>Enter a comma separated  Cube Ids or WorkGroups</Description>
	</ObjectAttribute>
	<ObjectAttribute categoryName="Approval" defaultValue="" displayName="Omit or Override 1st Level Approvers" editMode="Permanent" name="entBusApprovalRule">
		<Description> This rule can be used to override 1st Level Business Approvers</Description>
	</ObjectAttribute>
	<ObjectAttribute categoryName="Approval" displayName="2nd Level Business Approvers" editMode="Permanent" name="additionalEntBusApprovers" namedColumn="true">
		<Description>Enter a comma separated  Cube Ids or WorkGroups</Description>
	</ObjectAttribute>
	<ObjectAttribute categoryName="Approval" defaultValue="" displayName="Omit or Override 2nd Level Approvers" editMode="Permanent" name="additionalEntBusApproversRule">
		<Description> This rule can be used to override 2nd Level Business Approvers</Description>
	</ObjectAttribute>
	<ObjectAttribute categoryName="Logical Applications" displayName="Logical Business Application Name" editMode="Permanent" name="entAppName" namedColumn="true">
		<Description>Either Single or Comma separated Logical Business Aplications(Shared Databases, Shared Groups, etc)</Description>
	</ObjectAttribute>
	<ObjectAttribute categoryName="Privileged Entitlement" defaultValue="" displayName="Privileged Entitlement" editMode="Permanent" name="entPrivileged" namedColumn="true">
		<Description>Privileged Entitlement</Description>
	</ObjectAttribute>
	<ObjectAttribute categoryName="Privileged Entitlement" defaultValue="" displayName="Privileged Entitlement Account Types" editMode="Permanent" name="apaccountType">
		<Description>Comma Separated Privileged Entitlement Types</Description>
	</ObjectAttribute>
	<ObjectAttribute displayName="Operation" editMode="Permanent" name="operation" namedColumn="true">
		<Description>Operation</Description>
	</ObjectAttribute>
	<ObjectAttribute displayName="Application Code" editMode="Permanent" name="code" namedColumn="true">
		<Description>Code</Description>
	</ObjectAttribute>
</ObjectConfig>

I added the last ObjectAttribute.

vishal_kejriwal1 · August 1, 2024, 1:39pm

Try add something like below

  <ObjectAttribute displayName="Application Code" editMode="Permanent" extendedNumber="1" name="code" type="string">
    <Description>Code</Description>
  </ObjectAttribute>

brunoocarvalho · August 1, 2024, 1:45pm

That works without throwing the previous error:

Would it be possible to display all the application codes, and filter based on what entitlements belong to the application with the provided code?

vishal_kejriwal1 · August 1, 2024, 1:55pm

Yes go to any entitlement catalog , open any entitlement and update the value for application code , it will start showing up here .

vishal_kejriwal1 · August 1, 2024, 1:56pm

Good to know that you are not getting error .

brunoocarvalho · August 1, 2024, 4:18pm

That’s exactly what I needed. Thanks for your help

system · September 30, 2024, 4:18pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to fliter entitlements in mange user access page based on the application selection IIQ Discussion and Questions identityiq	7	815	August 1, 2023
Filtering Providable Entitlements based on Identity Attribute IIQ Discussion and Questions rules , identityiq , entitlements	2	49	September 27, 2024
Hide attributes from filter in access request lcm IIQ Discussion and Questions identityiq	4	42	December 6, 2024
Filter entitlements for an application for a user IIQ Discussion and Questions	7	2754	June 21, 2023
During adding entitlement inside IT Role facing issue in script IIQ Discussion and Questions rules , identityiq , identity-profiles , entitlements	5	188	May 17, 2024

Add Filter to Access Request

Which IIQ version are you inquiring about?

Share all details related to your problem, including any error messages you may have received.

Related topics