Advanced Policy not able to create PolicyViolation

Hello Team,

We have advanced policy for few scenarios from IIQ 7.2. We did upgrade iiq to 8.0P2, now we see advanced policy not able to create PolicyViolation object in System and let users submit the request.
In policy rule, we have logic and using below code to set the policy violation. We able to see policyviolation object in log by using v.toXml() but policyviolation object / form not appearing in iiq. please let me know anything else i need to set along with below properties.

v = new PolicyViolation();
v.setActive(true);
v.setIdentity(identity);
v.setPolicy(policy);
v.setConstraint(constraint);
v.setDescription("[More then One !DEPT Group is the extra entitlement.]");
v.setStatus(sailpoint.object.PolicyViolation.Status.Open);

Thanks,
Suresh

Hi Suresh,

Can you attach the entire policy violation object and the rule? I can try in my sandbox to see if there is an issue.

Thanks,

Blake

Hi @sukurams

There is no return statement in the code above. Is this the complete code?

  • Menno
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Policy PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<Policy certificationActions="Mitigated,Delegated" configPage="advancedPolicy.xhtml" executor="sailpoint.policy.GenericPolicyExecutor" name="Advanced User Policy" state="Active" type="Advanced" typeKey="policy_type_advanced" violationOwnerType="Manager">
  <PolicyAlert disabled="true" escalationStyle="none"/>
  <Attributes>
    <Map>
      <entry key="sysDescriptions">
        <value>
          <Map>
            <entry key="en_US" value="Users are not allowed to request application level entitlements unless they have a user account already created in Duco Cube. If user is showing a user account in Duco, which was identified via aggregation, they will be allowed to request for access."/>
          </Map>
        </value>
      </entry>
    </Map>
  </Attributes>
  <Owner>
    <Reference class="sailpoint.object.Identity" name="spadmin"/>
  </Owner>
  <GenericConstraints>
    <GenericConstraint name="Advanced User Policy Rule" violationOwnerType="None">
      <CompensatingControl>None. User must have only one role in this application.</CompensatingControl>
      <Description>Desc</RemediationAdvice>
      <IdentitySelector>
        <RuleRef>
          <Reference class="sailpoint.object.Rule" name="Advanced User Policy Rule"/>
        </RuleRef>
      </IdentitySelector>
    </GenericConstraint>
  </GenericConstraints>
</Policy>
<Rule language="beanshell" name="Advanced User Policy Rule" type="Policy">
  <Description>This rule is used to determine if a Policy has been violated.</Description>
  <Signature returnType="PolicyViolation">
    <Inputs>
      <Argument name="log">
        <Description>
          The log object associated with the SailPointContext.
        </Description>
      </Argument>
      <Argument name="context">
        <Description>
          A sailpoint.api.SailPointContext object that can be used to query the database if necessary.
        </Description>
      </Argument>
      <Argument name="identity">
        <Description>
          The Identity being inspected.
        </Description>
      </Argument>
      <Argument name="policy">
        <Description>
          The Policy being evaluated.
        </Description>
      </Argument>
      <Argument name="constraint">
        <Description>
          The Constraint being evaluated.
        </Description>
      </Argument>
    </Inputs>
    <Returns>
      <Argument name="violation">
        <Description>
          The PolicyViolation object.
        </Description>
      </Argument>
    </Returns>
  </Signature>
  <Source>
  import sailpoint.object.*;
	import sailpoint.object.ApprovalItem.ProvisioningState;
	import sailpoint.api.*;
	String targetId = null;
	boolean hasPolicyViolation=false;
	String errorMessage = null;
	if(identity!=null)
	{	
		targetId = new ObjectUtil().getId(context,Identity.class,identity.getName());
		
	}
// Below logic working fine and hasMSPAccount false and hasPolicyViolation is true. 
	boolean hasMSPAccount = false;
	List links = identity.getLinks();
	if(links!=null &amp;&amp; !links.isEmpty())
	{	for(Link link : links)
		{
    
    if(link.getApplicationName().equalsIgnoreCase("Duco Cube Application Level"))
			{	hasMSPAccount = true;
			}
		}
	
	
	}
	if(!(hasMSPAccount) )
	{				
				
		hasPolicyViolation=true;
		errorMessage = "Display Error message ";
	}
		
	log.error("hasPolicyViolation - "+hasPolicyViolation);
	PolicyViolation v = null;
	if(hasPolicyViolation){
					v = new PolicyViolation();
					v.setActive(true);
					v.setIdentity(identity);
					v.setPolicy(policy);
					v.setConstraint(constraint);
					v.setDescription(errorMessage);
					v.setStatus(sailpoint.object.PolicyViolation.Status.Open);
		
					
	}
	log.error("poliy xml "+policy.toXml());	
	log.error("policy object xml"+v.toXml());		
    return v;
</Source>
</Rule>


@blakebowen @menno.pieters - Please share the updates when you get chance to review the attached policy.

Instead of returning the complete violation, you could just return true. Can you see if that works for you?
You can also make it slightly more efficient by breaking out of the for loop as soon as you have found an account.

  • Menno

I have tried to return true as you suggested , no luck.

Can you send the logging from your rule?

I assume you’re trying to throw the violation at the time of the request during an access request? If so are you seeing the logging statements hit the rule? If not there may be a change to the workflow that would normally trigger the policy violation rule to get checked.

Suresh,

The rule code looks clean to me. The toXml method can throw a GeneralException. As such, you may want to wrap the method call in a try-catch block.

try {
  log.error("policy object xml"+v.toXml());
} catch (GeneralException e) {
  log.error("printing the policy violation object caused a GeneralException", e);
}

Rob

@routters - Thank you. We able to see policyviolation object printing all time without any issue but the same object not creating in SP.

@sukurams,

Have you been able to make any progress on this? If not, are you able to send the logging from your rule so that @blakebowen is able to assist you further? Let us know!

Hey @sukurams,

Please let us know if you need further assistance on this post; we are happy to help. In the meantime, I am going to mark this issue as resolved.

Hello All,
I am also trying similar to this.
I am trying to display Policy violation at the time of request during access request.
I can see PolicyViolation object gets printed in logs with toXml() method, but unable to see violation information in workitem. (policyScheme is used as “continue” in workflow so that approvers can see violation in work item.)

Please let me know why approvers are unable to see policy violation. Any extra code is needed to display this info on work item?

Thank you