Advanced Policy Violation - Restrict to request only 1 Entilement for an Application

Learner · April 23, 2024, 8:14pm

Which IIQ version are you inquiring about?

Version 8.3

Share all details related to your problem, including any error messages you may have received.

Hi All ,

Looking for sample code/logic for Advanced policy violation to restrict and throw Policy Violation when a user is requesting more than 1 Entitlement during Account creation or Modification also.

I am specifically looking for logic on how to retrieve user existing entitlements if an account already exists and new requested entitlements and throwing Policy Violation if requesting more than 1.

And also how to handle logic for new users and existing users in Policy Violation Rule.

Thanks in Advance.

dheerajk27 · April 24, 2024, 2:04am

Hi @Learner ,

Below is the logic to get the list of all Entitlement assigned to the user for specific Application:

you can call below method with 2 parameters, i.e; Identity Object and Application name, it would return list of all the entitlements assigned to the user.

public static List getEntitlementFromLink(Identity identity, String appName) throws GeneralException {
    List entList =new ArrayList();
    Application application=context.getObjectByName(Application.class, appName);
    IdentityService idnServ1=new IdentityService(context);
    List idenAppLink=idnServ1.getLinks(identity, application);
    if(Util.isEmpty(idenAppLink)){ continue; }
    for(Link link : idenAppLink){
      Attributes attrs = link.getEntitlementAttributes();
      if(null==attrs){ continue; }
      Map attrsMap = attrs.getMap();
      for (Map.Entry entry : attrsMap.entrySet()) {
        log.error(entry.getKey() + "/" + entry.getValue());
        if(entry.getValue() instanceof List){
          entList=entry.getValue();
        }else{
          entList.add(entry.getValue());
        }
      }	
    }
    log.error("entList==>"+entList);
    return entList;
  }

iamksatish · April 24, 2024, 3:16am

@Learner
If I understand correctly you need the code of Advanced Policy rule to restrict below conditions

User shouldn’t have more than one entitlement at given point of time, irrespective of creation of account, account modification. below code will help you on that


import sailpoint.object.Policy;
import sailpoint.object.PolicyViolation;
import sailpoint.object.Identity;
import sailpoint.object.Entitlement;
import sailpoint.object.Filter;
import sailpoint.object.Apllication;
import sailpoint.object.QueryOptions;
import java.util.List;
import java.util.Iterator;
import java.util.ArrayList;
import java.util.Locale;
import sailpoint.object.Link;


public List getIdentityEntitlements(Identity identity,String appName) {

  List applicationLinks = identity.getLinks();
  List entitlementList = new ArrayList();

  if(applicationLinks != null &amp;&amp; applicationLinks.size() >0 ) {

    for (Link link:applicationLinks) {
      if(appName.equals(link.getApplicationName())) {
      
        entitlementList = link.getEntitlements(Locale.getDefault(),"");
      }
    }
  }
  return entitlementList;
}

public boolean isLinkPresent(String identityName, String appName) {

  boolean isLinkPresent = false;
  QueryOptions qo = new QueryOptions();

  qo.addFilter(Filter.eq("identity.name", identityName));
  qo.addFilter(Filter.eq("application.name", appName));
  Iterator itr = context.search(Link.class, qo);

  if (itr.hasNext()) {
    isLinkPresent = true;
  }

  return isLinkPresent;
}


PolicyViolation policyViolation = null;
Identity expectedIdentity = identity;
Identity oldIdentity = context.getObjectByName(Identity.class, identity.getName());
String appName= "Your App Name";

List expectedEnt = getIdentityEntitlements(expectedIdentity, appName);
List existingEnt = getIdentityEntitlements(oldIdentity, appName);

boolean isViolation = false;
boolean isLinkPresent = isLinkPresent(identity.getName(), appName);

if (expectedEnt != null &amp;&amp; expectedEnt.size() >1) {
  isViolation = true;
}

//if identity have the more than required entitlements then flag violation
if (isViolation) {
  policyViolation = new PolicyViolation();
  policyViolation.setActive(true);
  policyViolation.setIdentity(identity);
  policyViolation.setPolicy(policy);
  policyViolation.setStatus(sailpoint.object.PolicyViolation.Status.Open);
}

return policyViolation;

Please mark the solution so that this helps others as well if this resolves your issue

Learner · April 24, 2024, 7:44pm

Thank you @iamksatish . As per initial testing, it is working as expected. I will test all the scenarios.

iamksatish · April 25, 2024, 7:35am

@Learner
Glad that worked, sure, test all the scenarios and let me know if any help needed.

vishal_kejriwal1 · April 25, 2024, 5:29pm

I would also recommend think of the scalable solution ,

how to will do if the no’s of different application keep on increasing will you be keep on creating the Advance policy ?
what will happen to the detective policy will it create huge no of violations ?

system · June 24, 2024, 5:29pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Advanced Policy- Performing Revocations IIQ Discussion and Questions workflows , identityiq , entitlements	5	153	July 2, 2024
Violation occurs in Approval if entitelment in not included in policy violation IIQ Discussion and Questions identityiq	4	17	November 19, 2024
When will the policy violation take affect if there's a provisioning form on the access request? IIQ Discussion and Questions identityiq	3	99	July 6, 2024
Policy Violation- Revocation IIQ Discussion and Questions identityiq , provisioning	2	141	June 25, 2024
Policy Violations - IIQ IIQ Discussion and Questions identityiq , provisioning	6	144	November 1, 2024

Advanced Policy Violation - Restrict to request only 1 Entilement for an Application

Which IIQ version are you inquiring about?

Share all details related to your problem, including any error messages you may have received.

Related topics