Advanced Policy Violation - Restrict to request only 1 Entilement for an Application

Learner · April 23, 2024, 8:14pm

Which IIQ version are you inquiring about?

Version 8.3

Share all details related to your problem, including any error messages you may have received.

Hi All ,

Looking for sample code/logic for Advanced policy violation to restrict and throw Policy Violation when a user is requesting more than 1 Entitlement during Account creation or Modification also.

I am specifically looking for logic on how to retrieve user existing entitlements if an account already exists and new requested entitlements and throwing Policy Violation if requesting more than 1.

And also how to handle logic for new users and existing users in Policy Violation Rule.

Thanks in Advance.

dheerajk27 · April 24, 2024, 2:04am

Hi @Learner ,

Below is the logic to get the list of all Entitlement assigned to the user for specific Application:

you can call below method with 2 parameters, i.e; Identity Object and Application name, it would return list of all the entitlements assigned to the user.

public static List getEntitlementFromLink(Identity identity, String appName) throws GeneralException {
    List entList =new ArrayList();
    Application application=context.getObjectByName(Application.class, appName);
    IdentityService idnServ1=new IdentityService(context);
    List idenAppLink=idnServ1.getLinks(identity, application);
    if(Util.isEmpty(idenAppLink)){ continue; }
    for(Link link : idenAppLink){
      Attributes attrs = link.getEntitlementAttributes();
      if(null==attrs){ continue; }
      Map attrsMap = attrs.getMap();
      for (Map.Entry entry : attrsMap.entrySet()) {
        log.error(entry.getKey() + "/" + entry.getValue());
        if(entry.getValue() instanceof List){
          entList=entry.getValue();
        }else{
          entList.add(entry.getValue());
        }
      }	
    }
    log.error("entList==>"+entList);
    return entList;
  }

iamksatish · April 24, 2024, 3:16am

@Learner
If I understand correctly you need the code of Advanced Policy rule to restrict below conditions

User shouldn’t have more than one entitlement at given point of time, irrespective of creation of account, account modification. below code will help you on that

import sailpoint.object.Policy;
import sailpoint.object.PolicyViolation;
import sailpoint.object.Identity;
import sailpoint.object.Entitlement;
import sailpoint.object.Filter;
import sailpoint.object.Apllication;
import sailpoint.object.QueryOptions;
import java.util.List;
import java.util.Iterator;
import java.util.ArrayList;
import java.util.Locale;
import sailpoint.object.Link;

public List getIdentityEntitlements(Identity identity,String appName) {

List applicationLinks = identity.getLinks();
List entitlementList = new ArrayList();

if(applicationLinks != null && applicationLinks.size() >0 ) {
for (Link link:applicationLinks) {
  if(appName.equals(link.getApplicationName())) {
  
    entitlementList = link.getEntitlements(Locale.getDefault(),"");
  }
}
}
return entitlementList;
}

public boolean isLinkPresent(String identityName, String appName) {

boolean isLinkPresent = false;
QueryOptions qo = new QueryOptions();

qo.addFilter(Filter.eq(“identity.name”, identityName));
qo.addFilter(Filter.eq(“application.name”, appName));
Iterator itr = context.search(Link.class, qo);

if (itr.hasNext()) {
isLinkPresent = true;
}

return isLinkPresent;
}

PolicyViolation policyViolation = null;
Identity expectedIdentity = identity;
Identity oldIdentity = context.getObjectByName(Identity.class, identity.getName());
String appName= “Your App Name”;

List expectedEnt = getIdentityEntitlements(expectedIdentity, appName);
List existingEnt = getIdentityEntitlements(oldIdentity, appName);

boolean isViolation = false;
boolean isLinkPresent = isLinkPresent(identity.getName(), appName);

if (expectedEnt != null && expectedEnt.size() >1) {
isViolation = true;
}

//if identity have the more than required entitlements then flag violation
if (isViolation) {
policyViolation = new PolicyViolation();
policyViolation.setActive(true);
policyViolation.setIdentity(identity);
policyViolation.setPolicy(policy);
policyViolation.setStatus(sailpoint.object.PolicyViolation.Status.Open);
}

return policyViolation;

Please mark the solution so that this helps others as well if this resolves your issue

Learner · April 24, 2024, 7:44pm

Thank you @iamksatish . As per initial testing, it is working as expected. I will test all the scenarios.

iamksatish · April 25, 2024, 7:35am

@Learner
Glad that worked, sure, test all the scenarios and let me know if any help needed.

vishal_kejriwal1 · April 25, 2024, 5:29pm

I would also recommend think of the scalable solution ,

how to will do if the no’s of different application keep on increasing will you be keep on creating the Advance policy ?
what will happen to the detective policy will it create huge no of violations ?

Topic		Replies	Views
Advanced Policy- Performing Revocations IIQ Discussion and Questions workflows , identityiq , entitlements	4	66	May 3, 2024
Policy Violation- Revocation IIQ Discussion and Questions identityiq , provisioning	1	39	April 26, 2024
Entitlement SOD, allow only one entitlement from an application IIQ Discussion and Questions	9	1351	July 19, 2023
How should i get the users selected entitlement in advanced policies? IIQ Discussion and Questions identityiq	6	746	November 20, 2023
How should i get the entitlements from Roles? IIQ Discussion and Questions identityiq , roles , entitlements	19	557	December 1, 2023

Advanced Policy Violation - Restrict to request only 1 Entilement for an Application

Which IIQ version are you inquiring about?

Share all details related to your problem, including any error messages you may have received.

Related Topics