<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Policy PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<Policy certificationActions="Mitigated,Delegated" configPage="advancedPolicy.xhtml" executor="sailpoint.policy.GenericPolicyExecutor" name="Advanced User Policy" state="Active" type="Advanced" typeKey="policy_type_advanced" violationOwnerType="Manager">
<PolicyAlert disabled="true" escalationStyle="none"/>
<Attributes>
<Map>
<entry key="sysDescriptions">
<value>
<Map>
<entry key="en_US" value="Users are not allowed to request application level entitlements unless they have a user account already created in Duco Cube. If user is showing a user account in Duco, which was identified via aggregation, they will be allowed to request for access."/>
</Map>
</value>
</entry>
</Map>
</Attributes>
<Owner>
<Reference class="sailpoint.object.Identity" name="spadmin"/>
</Owner>
<GenericConstraints>
<GenericConstraint name="Advanced User Policy Rule" violationOwnerType="None">
<CompensatingControl>None. User must have only one role in this application.</CompensatingControl>
<Description>Desc</RemediationAdvice>
<IdentitySelector>
<RuleRef>
<Reference class="sailpoint.object.Rule" name="Advanced User Policy Rule"/>
</RuleRef>
</IdentitySelector>
</GenericConstraint>
</GenericConstraints>
</Policy>
<Rule language="beanshell" name="Advanced User Policy Rule" type="Policy">
<Description>This rule is used to determine if a Policy has been violated.</Description>
<Signature returnType="PolicyViolation">
<Inputs>
<Argument name="log">
<Description>
The log object associated with the SailPointContext.
</Description>
</Argument>
<Argument name="context">
<Description>
A sailpoint.api.SailPointContext object that can be used to query the database if necessary.
</Description>
</Argument>
<Argument name="identity">
<Description>
The Identity being inspected.
</Description>
</Argument>
<Argument name="policy">
<Description>
The Policy being evaluated.
</Description>
</Argument>
<Argument name="constraint">
<Description>
The Constraint being evaluated.
</Description>
</Argument>
</Inputs>
<Returns>
<Argument name="violation">
<Description>
The PolicyViolation object.
</Description>
</Argument>
</Returns>
</Signature>
<Source>
import sailpoint.object.*;
import sailpoint.object.ApprovalItem.ProvisioningState;
import sailpoint.api.*;
String targetId = null;
boolean hasPolicyViolation=false;
String errorMessage = null;
if(identity!=null)
{
targetId = new ObjectUtil().getId(context,Identity.class,identity.getName());
}
// Below logic working fine and hasMSPAccount false and hasPolicyViolation is true.
boolean hasMSPAccount = false;
List links = identity.getLinks();
if(links!=null && !links.isEmpty())
{ for(Link link : links)
{
if(link.getApplicationName().equalsIgnoreCase("Duco Cube Application Level"))
{ hasMSPAccount = true;
}
}
}
if(!(hasMSPAccount) )
{
hasPolicyViolation=true;
errorMessage = "Display Error message ";
}
log.error("hasPolicyViolation - "+hasPolicyViolation);
PolicyViolation v = null;
if(hasPolicyViolation){
v = new PolicyViolation();
v.setActive(true);
v.setIdentity(identity);
v.setPolicy(policy);
v.setConstraint(constraint);
v.setDescription(errorMessage);
v.setStatus(sailpoint.object.PolicyViolation.Status.Open);
}
log.error("poliy xml "+policy.toXml());
log.error("policy object xml"+v.toXml());
return v;
</Source>
</Rule>