BundleDifference methods not providing right results

Aby_Kurian · August 31, 2023, 9:19am

I am trying to check if two role objects are having same set of entitlements. I used BundleDifference class but the results are not accurate. Even if all entitlements are exactly same, the result is showing it has difference by returning true while using hasDifferences method. Below is the code that i tried.

Code

   RoleLifecycler rl = new RoleLifecycler(context);
  Bundle bns = context.getObjectByName(Bundle.class, "MyRole001");
  Bundle role= context.getObjectByName(Bundle.class, "MyRole002");
  BundleDifference bdiff = rl.diff(bns, role);
  return bdiff.getProfileDifferences();

Result

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE List PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<List>
  <ProfileDifference application="AD Access">
    <AttributeDifferences>
      <Difference attribute="Application" displayName="Application" oldValue="AD Access"/>
    </AttributeDifferences>
    <FilterDifference>
      <Difference oldValue="groups containsAll {&quot;SuperAdmin&quot;}"/>
    </FilterDifference>
  </ProfileDifference>
  <ProfileDifference application="SystemAccess">
    <AttributeDifferences>
      <Difference attribute="Application" displayName="Application" oldValue="SystemAccess"/>
    </AttributeDifferences>
    <FilterDifference>
      <Difference oldValue="groups containsAll {&quot;Director&quot;}"/>
    </FilterDifference>
  </ProfileDifference>
  <ProfileDifference application="AD Access">
    <AttributeDifferences>
      <Difference attribute="Application" displayName="Application" newValue="AD Access"/>
    </AttributeDifferences>
    <FilterDifference>
      <Difference newValue="groups containsAll {&quot;SuperAdmin&quot;}"/>
    </FilterDifference>
  </ProfileDifference>
  <ProfileDifference application="SystemAccess">
    <AttributeDifferences>
      <Difference attribute="Application" displayName="Application" newValue="SystemAccess"/>
    </AttributeDifferences>
    <FilterDifference>
      <Difference newValue="groups containsAll {&quot;Director&quot;}"/>
    </FilterDifference>
  </ProfileDifference>
</List>

ismaelmoreno1 · September 17, 2023, 7:08pm

hi @Aby_Kurian

Is it possible export xml object of both bundle objects?

It seems that profiles are different. One profile is associated to AD Access application and the other to SystemAccess application

Remold · October 11, 2023, 7:21pm

By looking in the code of the RoleLifecycler (IIQ v8.3) :

The profiles are compared based on the IDs of the profiles in the bundles and if the same it starts looking at the entitlements.

I tested the code you provided with 2 roles, where the second role was cloned from the first one. This created a new Profile in the Bundle with a different IID (the entitlements have been created the same).

The ID are highlighted in yellow.

Can you validate if the IDs of the profiles of MyRole001 and MyRole002 are the same?

– Remold

system · December 10, 2023, 7:22pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Duplicate entitlements are being listed in the bundle section of debug IIQ Discussion and Questions identityiq	3	94	November 21, 2024
How can I find entitlement is present in any role or not IIQ Discussion and Questions rules , identityiq , reports	6	155	December 14, 2024
How should i get the entitlements from Roles? IIQ Discussion and Questions identityiq , roles , entitlements	19	1136	December 1, 2023
Creating a Role/Bundle Filter IIQ Discussion and Questions rules , identityiq , roles , access-requests	3	277	September 7, 2024
Exclude disable roles IIQ Discussion and Questions rules , identityiq	3	60	December 1, 2024

BundleDifference methods not providing right results

Related topics