We have advanced policy for few scenarios from IIQ 7.2. We did upgrade iiq to 8.0P2, now we see advanced policy not able to create PolicyViolation object in System and let users submit the request.
In policy rule, we have logic and using below code to set the policy violation. We able to see policyviolation object in log by using v.toXml() but policyviolation object / form not appearing in iiq. please let me know anything else i need to set along with below properties.
v = new PolicyViolation();
v.setActive(true);
v.setIdentity(identity);
v.setPolicy(policy);
v.setConstraint(constraint);
v.setDescription(“[More then One !DEPT Group is the extra entitlement.]”);
v.setStatus(sailpoint.object.PolicyViolation.Status.Open);
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Policy PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<Policy certificationActions="Mitigated,Delegated" configPage="advancedPolicy.xhtml" executor="sailpoint.policy.GenericPolicyExecutor" name="Advanced User Policy" state="Active" type="Advanced" typeKey="policy_type_advanced" violationOwnerType="Manager">
<PolicyAlert disabled="true" escalationStyle="none"/>
<Attributes>
<Map>
<entry key="sysDescriptions">
<value>
<Map>
<entry key="en_US" value="Users are not allowed to request application level entitlements unless they have a user account already created in Duco Cube. If user is showing a user account in Duco, which was identified via aggregation, they will be allowed to request for access."/>
</Map>
</value>
</entry>
</Map>
</Attributes>
<Owner>
<Reference class="sailpoint.object.Identity" name="spadmin"/>
</Owner>
<GenericConstraints>
<GenericConstraint name="Advanced User Policy Rule" violationOwnerType="None">
<CompensatingControl>None. User must have only one role in this application.</CompensatingControl>
<Description>Desc</RemediationAdvice>
<IdentitySelector>
<RuleRef>
<Reference class="sailpoint.object.Rule" name="Advanced User Policy Rule"/>
</RuleRef>
</IdentitySelector>
</GenericConstraint>
</GenericConstraints>
</Policy>
<Rule language="beanshell" name="Advanced User Policy Rule" type="Policy">
<Description>This rule is used to determine if a Policy has been violated.</Description>
<Signature returnType="PolicyViolation">
<Inputs>
<Argument name="log">
<Description>
The log object associated with the SailPointContext.
</Description>
</Argument>
<Argument name="context">
<Description>
A sailpoint.api.SailPointContext object that can be used to query the database if necessary.
</Description>
</Argument>
<Argument name="identity">
<Description>
The Identity being inspected.
</Description>
</Argument>
<Argument name="policy">
<Description>
The Policy being evaluated.
</Description>
</Argument>
<Argument name="constraint">
<Description>
The Constraint being evaluated.
</Description>
</Argument>
</Inputs>
<Returns>
<Argument name="violation">
<Description>
The PolicyViolation object.
</Description>
</Argument>
</Returns>
</Signature>
<Source>
import sailpoint.object.*;
import sailpoint.object.ApprovalItem.ProvisioningState;
import sailpoint.api.*;
String targetId = null;
boolean hasPolicyViolation=false;
String errorMessage = null;
if(identity!=null)
{
targetId = new ObjectUtil().getId(context,Identity.class,identity.getName());
}
// Below logic working fine and hasMSPAccount false and hasPolicyViolation is true.
boolean hasMSPAccount = false;
List links = identity.getLinks();
if(links!=null && !links.isEmpty())
{ for(Link link : links)
{
if(link.getApplicationName().equalsIgnoreCase("Duco Cube Application Level"))
{ hasMSPAccount = true;
}
}
}
if(!(hasMSPAccount) )
{
hasPolicyViolation=true;
errorMessage = "Display Error message ";
}
log.error("hasPolicyViolation - "+hasPolicyViolation);
PolicyViolation v = null;
if(hasPolicyViolation){
v = new PolicyViolation();
v.setActive(true);
v.setIdentity(identity);
v.setPolicy(policy);
v.setConstraint(constraint);
v.setDescription(errorMessage);
v.setStatus(sailpoint.object.PolicyViolation.Status.Open);
}
log.error("poliy xml "+policy.toXml());
log.error("policy object xml"+v.toXml());
return v;
</Source>
</Rule>
Instead of returning the complete violation, you could just return true. Can you see if that works for you?
You can also make it slightly more efficient by breaking out of the for loop as soon as you have found an account.
I assume you’re trying to throw the violation at the time of the request during an access request? If so are you seeing the logging statements hit the rule? If not there may be a change to the workflow that would normally trigger the policy violation rule to get checked.
Have you been able to make any progress on this? If not, are you able to send the logging from your rule so that @blake_bowen is able to assist you further? Let us know!
Hello All,
I am also trying similar to this.
I am trying to display Policy violation at the time of request during access request.
I can see PolicyViolation object gets printed in logs with toXml() method, but unable to see violation information in workitem. (policyScheme is used as “continue” in workflow so that approvers can see violation in work item.)
Please let me know why approvers are unable to see policy violation. Any extra code is needed to display this info on work item?
Hi ,
I am facing same issue. I can see the policy violation being printed in logs of rule but nothing while submitting request. Request gets submitted succesfully.
Please check your identity first. Basically, the policy violation rule is executed twice - once for the previous state of identity and 2nd time for the expected state of identity. In case your rule returns violation both the times, you will see the violation being printed in logs but nothing on request access screen. IIQ expects the rule to return violation only on second time. Please check if your identity before submitting the request can generate violation.
Hi,
Can you help me out here?
Identity already has entitlements while are in violation and if identity is again raising a request which is also in violation to already present entitlements . We have set policyScheme to “fail”, but LCM continue to create request.
Any pointers on how to stop identity to raise request?
From loggers I have verified PolicyViolation object being returned for this case.
There is no way to stop this request if your identity is already in violation. I think this OOB functionality is flawed but this is how it is. You can only generate a policy violation if previous identity is not in violation and new identity is.