Add Filter to Access Request

Which IIQ version are you inquiring about?

Version 8.3

Share all details related to your problem, including any error messages you may have received.

Hello!

We have an attribute defined on the applications that is used by users to identify the application. So, in Access Requests, we would like to allow users to filter entitlements based on this attribute.

On the following step of the access request, we would like to add another box, where users could provide this attribute, and it would display all the entitlements from the application that has the matching attribute.

Would it be possible to add this filter? If so, what files would need to be modified to include this change?

Hi @brunoocarvalho!

Such a solution is not possible out-of-the-box. To extend the logic in this area, you can take inspiration from this plugin: Hide User Access Filter. This plugin hides certain elements, and I believe that in a similar way, you can add additional elements to this view. In any case, such a template will definitely make the work easier, as there is no need to implement everything from scratch.

Best Regards,
Adam

3 Likes

All these filter you see are the extended attribute on the Managed Attribute Object , why don’t you add a new field on managed attribute despite of application object ?

1 Like

Hello,

By editing the Object Config of Managed Attributes, I managed to add the input field.

But when I try to input something it throws the error: could not resolve property: code of: sailpoint.object.ManagedAttribute

The code that I want to filter by is not defined on the ManagedAttribute object, it is part of the Applications attributes.

Would it be possible to still include this filter here but include some logic to choose the entitlements that match the application with the provided code, or would I need to resort the plugin suggestion?

You need to add new attribute in hbm file , then you need to generate the sql to modify manged attribute table and then finally you need to add attribute in Manger attribute configuration .
If you don’t want above step you can use already available extended attribute

I would say look into document , how to add new searchable extended attribute .

1 Like

Can you paste the xml what you have added ? Or you can add directly extended attribute .

1 Like

This is the ManagedAttribute.xml

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE ObjectConfig PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<ObjectConfig name="ManagedAttribute">
	<ObjectAttribute categoryName="Joiner" defaultValue="" displayName="Birthright Entitlement" editMode="Permanent" name="isBirthright" namedColumn="true">
		<Description>Exclude Birthright Entitlements</Description>
	</ObjectAttribute>
	<ObjectAttribute categoryName="Joiner" defaultValue="" displayName="Birthright Populations" editMode="Permanent" name="apbirthrightPopulations">
		<Description>Comma Separated Birthright Populations - Will be used for Birthright Role Automation</Description>
	</ObjectAttribute>
	<ObjectAttribute categoryName="Aggregation" defaultValue="" displayName="Manual Override" editMode="Permanent" name="manualOverride" namedColumn="true">
		<Description>Manual Override Entitlemnet Birthright, Privileged, and Logical Application Settings</Description>
	</ObjectAttribute>
	<ObjectAttribute categoryName="Approval" displayName="1st Level Business Approvers" editMode="Permanent" name="entBusApprovers" namedColumn="true">
		<Description>Enter a comma separated  Cube Ids or WorkGroups</Description>
	</ObjectAttribute>
	<ObjectAttribute categoryName="Approval" defaultValue="" displayName="Omit or Override 1st Level Approvers" editMode="Permanent" name="entBusApprovalRule">
		<Description> This rule can be used to override 1st Level Business Approvers</Description>
	</ObjectAttribute>
	<ObjectAttribute categoryName="Approval" displayName="2nd Level Business Approvers" editMode="Permanent" name="additionalEntBusApprovers" namedColumn="true">
		<Description>Enter a comma separated  Cube Ids or WorkGroups</Description>
	</ObjectAttribute>
	<ObjectAttribute categoryName="Approval" defaultValue="" displayName="Omit or Override 2nd Level Approvers" editMode="Permanent" name="additionalEntBusApproversRule">
		<Description> This rule can be used to override 2nd Level Business Approvers</Description>
	</ObjectAttribute>
	<ObjectAttribute categoryName="Logical Applications" displayName="Logical Business Application Name" editMode="Permanent" name="entAppName" namedColumn="true">
		<Description>Either Single or Comma separated Logical Business Aplications(Shared Databases, Shared Groups, etc)</Description>
	</ObjectAttribute>
	<ObjectAttribute categoryName="Privileged Entitlement" defaultValue="" displayName="Privileged Entitlement" editMode="Permanent" name="entPrivileged" namedColumn="true">
		<Description>Privileged Entitlement</Description>
	</ObjectAttribute>
	<ObjectAttribute categoryName="Privileged Entitlement" defaultValue="" displayName="Privileged Entitlement Account Types" editMode="Permanent" name="apaccountType">
		<Description>Comma Separated Privileged Entitlement Types</Description>
	</ObjectAttribute>
	<ObjectAttribute displayName="Operation" editMode="Permanent" name="operation" namedColumn="true">
		<Description>Operation</Description>
	</ObjectAttribute>
	<ObjectAttribute displayName="Application Code" editMode="Permanent" name="code" namedColumn="true">
		<Description>Code</Description>
	</ObjectAttribute>
</ObjectConfig>

I added the last ObjectAttribute.

Try add something like below

  <ObjectAttribute displayName="Application Code" editMode="Permanent" extendedNumber="1" name="code" type="string">
    <Description>Code</Description>
  </ObjectAttribute>
1 Like

That works without throwing the previous error:
image

Would it be possible to display all the application codes, and filter based on what entitlements belong to the application with the provided code?

Yes go to any entitlement catalog , open any entitlement and update the value for application code , it will start showing up here .

1 Like

Good to know that you are not getting error . :+1:

1 Like

That’s exactly what I needed. Thanks for your help :smile: