Problem
SailPoint comes with several role types available out of the box, but by default, users can request only Business Roles. The standard Access Request quicklink doesn’t let users search for IT Roles, so any requests made through it are limited to Business Roles alone.
Diagnosis
This behavior is expected due to SailPoint’s out-of-the-box design and configuration. By default, the Access Request quicklink is intended for business-friendly access requests and is therefore limited to Business Roles only. IT Roles are excluded from search and request in this interface to prevent direct end-user exposure to technical entitlements. As a result, users are unable to search for or request IT Roles through the standard OOTB Access Request quicklink.
Solution
I have written this rule to do the following operations:
- This SailPoint IIQ BeanShell rule is designed to add or remove roles for a given identity programmatically.
- It creates a ProvisioningPlan targeting the internal IIQ application (
APP_IIQ). - The
prepareRolePlanmethod, builds the plan based on the operation type (addRole or removeRole). - It fetches the Identity object using the provided identity name and attaches it to the plan.
- Roles are added or removed by updating the
assignedRolesattribute in the plan. - The plan source is set to LCM to indicate a lifecycle-driven change.
- The
processPlanmethod, compiles and executes the provisioning plan using the Provisioner API. - A
ProvisioningProjectis created before execution to validate and prepare changes. - In the sample execution, the role SuperUser-Access is targeted for removal.
- The rule finally executes the role removal for the identity ms2612.
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Rule PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<Rule language="beanshell" name="SailPoint IIQ Role Request Rule">
<Source>
<![CDATA[
import java.util.List;
import sailpoint.api.SailPointContext;
import sailpoint.api.Provisioner;
import sailpoint.object.Identity;
import sailpoint.object.ProvisioningPlan;
import sailpoint.object.ProvisioningProject;
import sailpoint.tools.GeneralException;
// Method to create a Provisioning Plan for Assigned Roles
/***
*
* @param identityName
* @param roles
* @param operation
* @return
*/
public ProvisioningPlan prepareRolePlan(String identityName, List roles, String operation) {
System.out.println("Entering method prepareRolePlan");
ProvisioningPlan plan = new ProvisioningPlan();
try {
Identity identity = context.getObjectByName(Identity.class, identityName);
if(null != identity) {
plan.setIdentity(identity);
}
if("addRole".equalsIgnoreCase(operation)) {
plan.add(ProvisioningPlan.APP_IIQ, identityName, "assignedRoles", ProvisioningPlan.Operation.Add, roles);
}else if("removeRole".equalsIgnoreCase(operation)){
plan.add(ProvisioningPlan.APP_IIQ, identityName, "assignedRoles", ProvisioningPlan.Operation.Remove, roles);
}
plan.setSource("LCM");
} catch (GeneralException e) {
System.out.println("Exception occured while creating plan " + e.getMessage());
}
System.out.println("Exiting method prepareRolePlan");
return plan;
}
/***
*
* @param identityName
* @param operation
* @param roles
*/
public void processPlan(String identityName, String operation, List roles) {
System.out.println("Entering method processPlan");
ProvisioningPlan plan = null;
ProvisioningProject proj = null;
try {
Identity iden = context.getObjectByName(Identity.class, identityName);
if(null != iden) {
Provisioner provisioner = new Provisioner(context);
plan = prepareRolePlan(identityName, roles, operation);
proj = provisioner.compile(plan);
provisioner.execute(proj);
}else {
System.out.println(" Identity is Missing ");
}
}catch(Exception exp) {
System.out.println(" Error occure dwhile processing plan "+ exp.getMessage());
}
System.out.println("Entering method processPlan");
}
List roles = new ArrayList();
roles.add("SuperUser-Access");
return processPlan("ms2612", "removeRole", roles);
]]>
</Source>
</Rule>